CVE-2010-0110 – Symantec AMS Intel Alert Service AMSSendAlertAct Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0110
Multiple stack-based buffer overflows in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allow remote attackers to execute arbitrary code via (1) a long string to msgsys.exe, related to the AMSSendAlertAct function in AMSLIB.dll in the Intel Alert Handler service (aka Symantec Intel Handler service); a long (2) modem string or (3) PIN number to msgsys.exe, related to pagehndl.dll in the Intel Alert Handler service; or (4) a message to msgsys.exe, related to iao.exe in the Intel Alert Originator service. Múltiples desbordamientos de búfer basados en pila en Intel Alert Management System (también conocido como AMS o AMS2), como es usado en Symantec AntiVirus Corporate Edition (SAVCE) v10.x anterior a v10.1 MR10, Symantec System Center (SSC) v10.x,y Symantec Quarantine Server v3.5 y v3.6, permite a atacantes remotos ejecutar código de su elección a través de (1) una cadena larga para msgsys.exe, relacionada con la función AMSSendAlertAct en AMSLIB.dll en el servicio Intel Alert Handler (también conocido como servicio Symantec Intel Handler); una larga (2)cadena modem o (3) número PIN para msgsys.exe, relacionado con pagehndl.dll en el servicio Intel Alert Handler; o (4) un mensaje para msgsys.exe, relacionado con iao.exe en el servicio Intel Alert Originator . This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Alert Management System. Authentication is not required to exploit this vulnerability. The specific flaw exists within the AMSLIB.dll module while processing data sent from the msgsys.exe process which listens by default on TCP port 38292. The DLL allocates a fixed length stack buffer and subsequently copies a user-supplied string using memcpy without validating the size. • http://secunia.com/advisories/43099 http://secunia.com/advisories/43106 http://securitytracker.com/id?1024996 http://www.securityfocus.com/bid/45936 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 http://www.vupen.com/english/advisories/2011/0234 http://www.zerodayinitiative.com/advisories/ZDI-11-028 http://www.zerodayinitiative.com/advisories/ZDI-11-030 http://www.zerodayinitiative.com/advisories/ZDI-11-0 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-0111 – Symantec Intel Alert Originator Service iao.exe Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0111
HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary programs by sending msgsys.exe a UNC share pathname, which is used directly in a CreateProcessA (aka CreateProcess) call. HDNLRSVC.EXE en el servicio Intel Alert Handler (también conocido como servicio Symantec Intel Handler) en Intel Alert Management System (también conocido como AMS o AMS2) como el utilizado en Symantec AntiVirus Corporate Edition (SAVCE) v10.x anterior a v10.1 MR10, Symantec System Center (SSC) v10.x, y Symantec Quarantine Server v3.5 y v3.6, permite a atacantes remotos ejecutar programas de su eleeción enviando msgsys.exe a una ruta de acceso compartido UNC que es usada directamente en la llamada CreateProcessA (también conocido como CreateProcess). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple Symantec products. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Intel Alert Originator (iao.exe) service. While processing messages sent from the msgsys.exe process a size check can be bypassed and a subsequent stack-based buffer overflow can be triggered. • http://secunia.com/advisories/43099 http://secunia.com/advisories/43106 http://securitytracker.com/id?1024997 http://www.securityfocus.com/bid/45935 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_01 http://www.vupen.com/english/advisories/2011/0234 http://www.zerodayinitiative.com/advisories/ZDI-11-029 https://exchange.xforce.ibmcloud.com/vulnerabilities/64942 https://exchange.xforce.ibmcloud.com/vulnerabilities/649 • CWE-20: Improper Input Validation •
CVE-2010-3268
https://notcve.org/view.php?id=CVE-2010-3268
The GetStringAMSHandler function in prgxhndl.dll in hndlrsvc.exe in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (AMS), as used in Symantec Antivirus Corporate Edition 10.1.4.4010 on Windows 2000 SP4 and Symantec Endpoint Protection before 11.x, does not properly validate the CommandLine field of an AMS request, which allows remote attackers to cause a denial of service (application crash) via a crafted request. La función GetStringAMSHandler en prgxhndl.dll en hndlrsvc.exe en Intel Alert Handler service (conocido como Symantec Intel Handler service) en Intel Alert Management System (AMS), como el usado en Symantec Antivirus Corporate Edition v10.1.4.4010 en Windows 2000 SP4 y Symantec Endpoint Protection anterior v11.x, no valida adecuadamente el campo CommandLine de una petición AMS, lo que permite a atacantes remotos causar una denegación de servicio (caída aplicación) a través de peticiones manipuladas. • http://secunia.com/advisories/42593 http://secunia.com/advisories/43099 http://www.coresecurity.com/content/symantec-intel-handler-service-remote-dos http://www.securityfocus.com/archive/1/515191/100/0/threaded http://www.securityfocus.com/bid/45936 http://www.securitytracker.com/id?1024866 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 http://www.vupen.com/english/advisories/2010/3206 http://www.vu • CWE-20: Improper Input Validation •
CVE-2010-0106
https://notcve.org/view.php?id=CVE-2010-0106
The on-demand scanning in Symantec AntiVirus 10.0.x and 10.1.x before MR9, AntiVirus 10.2.x, and Client Security 3.0.x and 3.1.x before MR9, when Tamper protection is disabled, allows remote attackers to cause a denial of service (prevention of on-demand scanning) via "specific events" that prevent the user from having read access to unspecified resources. El escaneo bajo demanda en Symantec AntiVirus v10.0.x y v10.1.x anterior a MR9, AntiVirus v10.2.x, Client Security v3.0.x y v3.1.x anterior a MR9 y Endpoint Protection v11.x, cuando la protección de manipulación está desactivado, permite a atacantes remotos provocar una denegación de servicio (prevención de escaneo bajo demanda) a través de "eventos concretos" que impiden que el usuario tenga acceso de lectura a recursos no especificados. • http://osvdb.org/62414 http://secunia.com/advisories/38653 http://www.securityfocus.com/bid/38219 http://www.securitytracker.com/id?1023621 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_00 http://www.vupen.com/english/advisories/2010/0410 https://exchange.xforce.ibmcloud.com/vulnerabilities/56354 •
CVE-2010-0108 – Symantec (Multiple Products) - Client Proxy ActiveX 'CLIproxy.dll' Remote Overflow
https://notcve.org/view.php?id=CVE-2010-0108
Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) in Symantec AntiVirus 10.0.x, 10.1.x before MR9, and 10.2.x before MR4; and Symantec Client Security 3.0.x and 3.1.x before MR9 allows remote attackers to execute arbitrary code via a long argument to the SetRemoteComputerName function. Desbordamiento de búfer en un control ActiveX en el proxy de cliente de Symantec (CLIproxy.dll) en Symantec AntiVirus v10.0.x, v10.1.x anterior a MR9 y v10.2.x anterior a MR4 y Symantec Client Security v3.0.x y v3.1.x anterior a MR9 podría permitir a atacantes remotos ejecutar código arbitrario a través de vectores desconocidos relacionados con un proxy. • https://www.exploit-db.com/exploits/33642 http://dsecrg.com/pages/vul/show.php?id=139 http://secunia.com/advisories/38651 http://www.securityfocus.com/archive/1/509681/100/0/threaded http://www.securityfocus.com/bid/38222 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02 http://www.vupen.com/english/advisories/2010/0412 https://exchange.xforce.ibmcloud.com/vulnerabilities/56355 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •