{"id":760,"date":"2016-04-07T16:35:39","date_gmt":"2016-04-07T20:35:39","guid":{"rendered":"http:\/\/149.28.118.115\/?p=760"},"modified":"2016-04-07T16:35:39","modified_gmt":"2016-04-07T20:35:39","slug":"symantec-management-agent-7-5-application-blacklisting","status":"publish","type":"post","link":"https:\/\/www.postinger.com\/index.php\/2016\/04\/07\/symantec-management-agent-7-5-application-blacklisting\/","title":{"rendered":"CVE-2016-2202 – Symantec Management Agent Inventory Solution 7.5 Application Blacklisting"},"content":{"rendered":"

<\/h2>\n

Updated on April 7, 2016. Symantec has now acknowledged and provided a fix for this problem.\u00a0Symantec reference\u00a0here<\/a>\u00a0and the\u00a0provided fix here<\/a>.<\/h4>\n

Symantec was notified\u00a0of this issue on March 7, 2016.<\/h4>\n

My\u00a0endpoint team was testing blocking executables using SMC\/SMA\/Altiris\/Inventory Solution\u00a0<\/span>(under many names) I found that if I keep opening the exe I could essentially brute force successfully launching the application that had its executable blocked. It appears that the first exe would run and not be closed by the Altiris agent.
\nWe were looking to prevent\u00a0teamviewer(remote software) from running. They were able to prevent the exe from launching, but if I create a simple powershell script to keep trying to open the executable it would finally launch and stay open.
\nI could then connect and I was able to remotely control the system(as teamviewer is designed.) Of course my CPU was pegged but I was able to keep the session open while my script was running.
\nI am running Windows 7 Pro, 4 core CPU, 8GB of\u00a0RAM Symantec management agent 7.5.33
\nTo recreate this vulnerability, block your executable then run the following simple Powershell script on a client. In this case my team wanted to block teamviewer so that is what I tested..<\/p>\n

 $n = 1\n Do {\n Start-Process -filepath\n \"C:\\Users\\<username>\\Downloads\\TeamViewerPortable\\Teamviewer.exe\"\n } While ($n -le 199999999)\n<\/pre>\n
\n
<\/h6>\n","protected":false},"excerpt":{"rendered":"
Updated on April 7, 2016. Symantec has now acknowledged and provided a fix for this problem.\u00a0Symantec reference\u00a0here\u00a0and the\u00a0provided fix here. Symantec was notified\u00a0of this issue on March 7, 2016. My\u00a0endpoint team was testing blocking executables using SMC\/SMA\/Altiris\/Inventory Solution\u00a0(under many names) I found that if I keep opening the exe I could essentially brute force successfully […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[7],"tags":[],"class_list":["post-760","post","type-post","status-publish","format-standard","hentry","category-tech"],"_links":{"self":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts\/760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/comments?post=760"}],"version-history":[{"count":0,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/posts\/760\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/media?parent=760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/categories?post=760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.postinger.com\/index.php\/wp-json\/wp\/v2\/tags?post=760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}