SecurityTracker.com Archives - Trend Micro's InterScan VirusWall Server Has Another Vulnerability - This One Lets Remote Users Execute Arbitrary Commands on the Server with System Level Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

About the Archives

Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here

Category: Application (Security) > InterScan VirusWall

Vendors: Trend Micro

Trend Micro's InterScan VirusWall Server Has Another Vulnerability - This One Lets Remote Users Execute Arbitrary Commands on the Server with System Level Privileges

Date: Jun 13 2001 19:19 (UTC/GMT)

Impact: Execution of arbitrary code via network, Root access via network

Exploit Included: Yes

Advisory: Secure Net Service (LAC)

Version(s): InterScan VirusWall for Windows NT 3.51J build 1321 Japanese, InterScan VirusWall for Windows NT 3.51 build 1321 English

Description: SNS reported yet another vulnerability in Trend Micro's InterScan VirusWall anti-virus gateway. This vulnerability allows remote users to execute arbitrary code on the server and obtain system level privileges on the server.

The vulnerability is reportedly due to a buffer overflow in two administrative programs: FtpSaveCSP.dll and FtpSaveCVP.dll.

If long strings are included in a certain configuration parameter, the vulnerability will be triggered when the remote user views following dll(s):

http://server/interscan/cgi-bin/FtpSaveCSP.dll
http://server/interscan/cgi-bin/FtpSaveCVP.dll

It is reported that arbitrary code may be executed.

The vendor has reportedly been contacted.

Impact: A remote user can exuecte arbitrary code on the server and obtain system level privileges on the server.

Solution: No solution was available at the time of this entry.

Vendor URL: www.trendmicro.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (NT)

Underlying OS Comments: tested on Windows NT Server 4.0 SP6a Japanese, English

Reported By: "SNS Advisory" <snsadv@lac.co.jp>

Message History: None.

Source Message Contents

Date: Wed, 13 Jun 2001 13:44:06 +0900
From: "SNS Advisory" <snsadv@lac.co.jp>
Subject: [SNS Advisory No.31] Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll Buffer Overflow Vulnerability

 

SNS Advisory No.31
Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll
Buffer Overflow Vulnerability

Problem first discovered: 30 May 2001
Published: 13 Jun 2001 
Last Updated: 13 Jun 2001 
----------------------------------------------------------------------

Overview
---------
A buffer overflow vulnerability was found in administrative programs,
FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows NT.
It allows a remote user to execute an arbitrary command with SYSTEM
privilege.

Problem Description
--------------------
If long strings are included in a certain parameter of configuration by
exploitation of the vulnerability that was reported by SNS Advisory
No.28, a buffer overflow occurs when viewing following dll(s):

  http://server/interscan/cgi-bin/FtpSaveCSP.dll
  http://server/interscan/cgi-bin/FtpSaveCVP.dll

A buffer overflow occurs with following dump(Japanese version):

  00F9FC04  4F 50 50 50 51 51  OPPPQQ
  00F9FC0A  51 52 52 52 53 53  QRRRSS
  00F9FC10  53 54 54 54 55 55  STTTUU
  00F9FC16  55 56 61 62 63 64  UVabcd
  00F9FC1C  57 58 58 58 59 59  WXXXYY
  00F9FC22  59 5A 5A 5A 61 61  YZZZaa
  00F9FC28  61 61 61 61 61 61  aaaaaa
  00F9FC2E  61 61 61 61 61 61  aaaaaa

register:

  EAX = 00F9FC1C  EIP = 64636261

Therefore, arbitrary code may be executed by calling eax, replaced a 
value with attacker supplied arbitrary address.
Combined with the vulnerability of ftpsave.dll in SNS Advisory No.28, a
remote user can easily launch an attack.

Tested version
---------------
  InterScan VirusWall for Windows NT 3.51J build 1321 Japanese
  InterScan VirusWall for Windows NT 3.51  build 1321 English

Tested on
----------
  Windows NT Server 4.0 SP6a Japanese
  Windows NT Server 4.0 SP6a English

Fix information
---------------
Trend Micro Japanese support team responded nothing. 
Until the patch will be released, set up access control to refuse access
to servers in which InterScan VirusWall is installed by non-administrative
user.

Discovered by
--------------
Nobuo Miwa (LAC / n-miwa@lac.co.jp)

Disclaimer
-----------
All information in this advisories are subject to change without any 
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.

References
----------
Archive of this advisory:
	http://www.lac.co.jp/security/english/snsadv_e/31_e.html

SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote
configuration Vulnerability)

	http://www.lac.co.jp/security/english/snsadv_e/28_e.html

SNS Advisory:
	http://www.lac.co.jp/security/english/snsadv_e/

LAC:
	http://www.lac.co.jp/security/english/

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2001, SecurityGlobal.net LLC