Trend Micro PC-cillin Scanner Buffer Overflow May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1005781 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 10 2002
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2000, 2002, 2003
|
Description: A buffer overflow vulnerability was reported in Trend Micro's PC-cillin e-mail scanner. A local user could execute arbitrary code, possibly to gain elevated privileges.
Texonet reported that there is a buffer overflow in pop3trap.exe. According to the report, a local user could connect to the local
port 110 and send a specially crafted string to trigger the overflow and overwrite the EIP register. This could cause arbitrary
code to be executed with the privileges of the user running pop3trap.exe.
Some demonstration exploit examples are provided:
Example
1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110
Example 2: http://127.0.0.1:110/[put 1100 a's here]
|
Impact: A local user can execute arbitrary code with the privileges of the user runnin PC-cillin.
|
Solution: The vendor has released a fix. For users of PC-cillin 2000, Trend Micro recommend that you upgrade to PC-cillin 2002 or 2003 and
apply the Service Packs listed below.
For users of PC-cillin 2002 and 2003:
1. Download the appropriate Service Pack:
For
PC-cillin 2003: 2003_pop3_1163en.zip (For English), 388.1KB:
http://solutionfile.trendmicro.com/SolutionFile/12982/en/2003_pop3_1163en.zip
For
PC-cillin 2002: 2002_pop3_1357en.zip (For English), 183.8KB:
http://solutionfile.trendmicro.com/SolutionFile/12982/en/2002_pop3_1357en.zip
Then,
unzip the contents of the service pack into a temporary directory. For more information on how to extract the contents of a ZIP
file, refer to Solution 12254:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=12254
Then, Double-click the
executable file (or *.exe) to replace your existing POP3 trap. You can refer to the readme.txt file included in the service pack
for more information.
German, French, Spanish and Italian versions of the Hotfix against the buffer overflow vulnerability, can
be found in Solution 13009:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=13009
For additional information,
see the Vendor's advisory at:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982
|
Vendor URL: kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982 (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: advisories@texonet.com (advisories@texonet.com)
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 10 Dec 2002 12:04:43 +0100
From: advisories@texonet.com (advisories@texonet.com)
Subject: Unchecked buffer in PC-cillin
|
------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------------
Texonet Security Advisory 20021210
----------------------------------------------------------------------------
Advisory ID : TEXONET-20021210
Authors : Joel Soderberg and Christer Oberg (advisories@texonet.com)
Issue date : 12-10-2002
Application : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s) : 2000, 2002 and 2003
Platforms : Windows 98/ME/2000/XP
Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt
----------------------------------------------------------------------------
Problem:
----------------------------------------------------------------------------
PC-cillin has an unchecked buffer in pop3trap.exe
Description:
----------------------------------------------------------------------------
PC-cillin comes with a mail scanning feature that scans all incoming mail
for
viruses, this is accomplished by connecting the mail client to a local
service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes
it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.
Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110
Example 2: http://127.0.0.1:110/[put 1100 a's here]
Workaround:
----------------------------------------------------------------------------
Download the appropriate Service Pack from:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982
Disclosure Timeline:
----------------------------------------------------------------------------
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public
About Texonet:
----------------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.
Contacting Texonet:
----------------------------------------------------------------------------
E-mail: advisories@texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
name="TEXONET-20021210.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment;
filename="TEXONET-20021210.txt"
-----------------------------------------------------------------------------
Texonet Security Advisory 20021210
-----------------------------------------------------------------------------
Advisory ID : TEXONET-20021210
Authors : Joel Soderberg and Christer Oberg (advisories@texonet.com)
Issue date : 12-10-2002
Application : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s) : 2000, 2002 and 2003
Platforms : Windows 98/ME/2000/XP
Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt
-----------------------------------------------------------------------------
Problem:
-----------------------------------------------------------------------------
PC-cillin has an unchecked buffer in pop3trap.exe
Description:
-----------------------------------------------------------------------------
PC-cillin comes with a mail scanning feature that scans all incoming mail for
viruses, this is accomplished by connecting the mail client to a local service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.
Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110
Example 2: http://127.0.0.1:110/[put 1100 a's here]
Workaround:
-----------------------------------------------------------------------------
Download the appropriate Service Pack from:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982
Disclosure Timeline:
-----------------------------------------------------------------------------
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public
About Texonet:
-----------------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.
Contacting Texonet:
-----------------------------------------------------------------------------
E-mail: advisories@texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
------=_NextPart_000_006F_01C2A044.5313C4E0--
|
|
