|
|
|
|
| |
Credit:
The information has been provided by Nahuel Riva.
The original article can be found at: http://www.coresecurity.com/content/symantec-intel-handler-service-remote-dos
|
| |
Vulnerable Systems:
* Symantec Antivirus Corporate Edition 10.1.4.4010 (Windows 2000 SP4).
Immune Systems:
* Symantec Antivirus Corporate Edition 11.x
The Intel Alert Handler service (hndlrsvc.exe) fails to correctly process the 'CommandLine' field in the AMS request. A source address in a MOV instruction is calculated from values present in the request, causing a remote denial-of-service. The request is handled in prgxhndl.dll, called from hndlsrvc.exe, more specifically from function 0x501A105D. Inside that function, GetStringAMSHandler() is called to parse the content of the 'CommandLine' field present in the request. In turn, GetStringAMSHandler() forwards the request to function AMSLIB.18 present in AMSLIB.dll, and this function ends up calling the function that crashes, AMSGetPastParamList(), also in AMSLIB.dll. The crash occurs at address 0x5007278B.
When trying to read at the memory area pointed to by EAX, this value is invalid and the service crashes. This part of the code is parsing (inside a loop) the argument passed in the 'CommandLine' parameter. It seems that in many parts of the loop the pointer that is loaded from [EBP-10] is calculated from a value present in the request.
Workaround:
The only workaround is to disable Intel AMS.
CVE Information:
CVE-2010-3268
Disclosure Timeline:
Date published: 2010-12-13
Date of last update: 2010-12-13
|
|
|
|
|
