Immunity, Inc.
Name wp_symantec_ams_hdnlrsvc_createprocess
CVE CVE-2010-0111
Exploit Pack White_Phosphorus
DescriptionSymantec AMS Intel Alert Handler HDNLRSVC CreateProcess Remote Code Execution
NotesReferences: http://www.zerodayinitiative.com/advisories/ZDI-11-029/
CVE Name: CVE-2010-0111
VENDOR: Symantec
Notes:
The vulnerability exists in HDNLRSVC.EXE - the Intel Handler service of the Intel Alert
Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE)
10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5
and 3.6.

This exploit allows remote attackers to execute arbitrary programs by sending MsgSys.exe
a specially crafted UDP packet that is passed to HDNLRSVC.EXE and used in a CreateProcess
call.

The maxlen for the exploit payload buffer is 122 bytes but to ensure reliability use the
TCP ConnectBack payload or restrict Execute Commands to <= 64 bytes.

The time taken for HDNLRSVC.EXE to call CreateProcess may change, as does the number
of times it is called. This may result a minutes or more delay and multiple connectback nodes.

The TCP ConnectBack payload is provided SMB from a malicious SMB server that is spawned by the exploit.
Windows users must disable the native Windows SMB server before running the module. On Windows 7
this is achieved by disabling the 'Server' and 'TCP/IP NetBIOS Helper' services and rebooting the
OS.

Repeatability: Unlimited
Date public: 2010-06-12
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0111
CVSS: 10.0

Learn more about the CANVAS Exploit Pack here: White_Phosphorus