CVE-2010-0111

Symantec AntiVirus Corporate Edition < 10.1 MR10 - Remote Code Execution via UNC Share Pathname

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-0111. PoCs published by MC, including Metasploit module exploits/windows/antivirus/ams_hndlrsvc.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Symantec System Center Alert Management System (hndlrsvc.exe) by sending a maliciously crafted packet to execute arbitrary commands or deliver a payload via TFTP.

Description

HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary programs by sending msgsys.exe a UNC share pathname, which is used directly in a CreateProcessA (aka CreateProcess) call.

Exploits (1)

metasploit WORKING POC EXCELLENT

by MC · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/ams_hndlrsvc.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Symantec System Center Alert Management System (hndlrsvc.exe) by sending a maliciously crafted packet to execute arbitrary commands or deliver a payload via TFTP.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Symantec AntiVirus Corporate Edition 8.0 - 10.1.7

No auth needed

Prerequisites: Network access to the target on port 38292 · TFTP server for payload delivery if not using direct command execution

MITRE ATT&CK