CVE-2016-2202 – Symantec Management Agent Inventory Solution 7.5 Application Blacklisting

Updated on April 7, 2016. Symantec has now acknowledged and provided a fix for this problem. Symantec reference here and the provided fix here.

Symantec was notified of this issue on March 7, 2016.

My endpoint team was testing blocking executables using SMC/SMA/Altiris/Inventory Solution (under many names) I found that if I keep opening the exe I could essentially brute force successfully launching the application that had its executable blocked. It appears that the first exe would run and not be closed by the Altiris agent.

We were looking to prevent teamviewer(remote software) from running. They were able to prevent the exe from launching, but if I create a simple powershell script to keep trying to open the executable it would finally launch and stay open.

I could then connect and I was able to remotely control the system(as teamviewer is designed.) Of course my CPU was pegged but I was able to keep the session open while my script was running.

I am running Windows 7 Pro, 4 core CPU, 8GB of RAM Symantec management agent 7.5.33

To recreate this vulnerability, block your executable then run the following simple Powershell script on a client. In this case my team wanted to block teamviewer so that is what I tested..

 $n = 1
 Do {
 Start-Process -filepath
 } While ($n -le 199999999)

Leave a Reply

Your email address will not be published. Required fields are marked *