Name | wp_symantec_ams_hdnlrsvc_createprocess |
CVE | CVE-2010-0111 |
Exploit Pack | White_Phosphorus |
Description | Symantec AMS Intel Alert Handler HDNLRSVC CreateProcess Remote Code Execution |
Notes | References: http://www.zerodayinitiative.com/advisories/ZDI-11-029/ CVE Name: CVE-2010-0111 VENDOR: Symantec Notes: The vulnerability exists in HDNLRSVC.EXE - the Intel Handler service of the Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6. This exploit allows remote attackers to execute arbitrary programs by sending MsgSys.exe a specially crafted UDP packet that is passed to HDNLRSVC.EXE and used in a CreateProcess call. The maxlen for the exploit payload buffer is 122 bytes but to ensure reliability use the TCP ConnectBack payload or restrict Execute Commands to <= 64 bytes. The time taken for HDNLRSVC.EXE to call CreateProcess may change, as does the number of times it is called. This may result a minutes or more delay and multiple connectback nodes. The TCP ConnectBack payload is provided SMB from a malicious SMB server that is spawned by the exploit. Windows users must disable the native Windows SMB server before running the module. On Windows 7 this is achieved by disabling the 'Server' and 'TCP/IP NetBIOS Helper' services and rebooting the OS. Repeatability: Unlimited Date public: 2010-06-12 CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0111 CVSS: 10.0 |
Learn more about the CANVAS Exploit Pack here: White_Phosphorus |