Additional Vulnerabilities in TrendMicro's InterScan AppletTrap Malicious Code Filtering Software Allow Remote Users to Create HTML With Malicious Code That Will Bypass the Filtering Mechanisms
|
|
SecurityTracker Alert ID: 1002114 |
|
SecurityTracker URL: http://securitytracker.com/id/1002114
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 29 2001
|
Impact:
Host/resource access via network
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.0
|
Description:
It is reported that there are additional vulnerabilities in Trend Micro's InterScan AppletTrap software that allows malicious code to bypass the filtering software.
eDvice reports that there are two problems with AppletTrap's Script filtering mechanism:
1) If only JavaScript or VBScript filtering is enabled (but both are not enabled), then a remote user can create an HTML web page that contains a mixture of JavaScript and VBScript code that will bypass the filtering mechanisms. For this vulnerability to be triggered, the scripts must appear after a separate script that is permitted by the AppletTrap policy.
2) AppletTrap does not filter scripting tags that are constructed using extended Unicode notation.
|
Impact:
A remote user can create malicious HTML web pages that will bypass the AppletTrap filtering mechanism.
|
Solution:
No solution was available at the time of this entry. The vendor reportedly plans to address these vulnerabilities in version 2.5.
|
Vendor URL: www.antivirus.com/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 29 Jul 2001 11:13:01 +0200
Subject: Various problems in Ternd Micro AppletTrap Script filtering
|
Sunday 29 July 2001
Various problems in Ternd Micro AppletTrap Script filtering
===========================================================
This is a different advisory than the one we posted on July 9
(http://archives.neohapsis.com/archives/bugtraq/2001-07/0129.html).
Product Background
------------------
Trend Micro Applet Trap is a product for blocking malicious Java applets,
malicious JavaScript and unsecured ActiveX controls at the gateway. The
product includes an option for URL filtering.
Scope
------
eDvice recently conducted a test of AppletTrap's ability to filter Scripts
at the gateway. AppletTrap includes the ability to filter script languages
(JavaScript, VBScript, and/or all other HTML script languages) from HTML
code.
The Findings
--------------
AppletTrap includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.
Details
---------
We found two problems with AppletTrap's Script filtering mechanism:
1) If only JavaScript or VBScript (not both) filtering is enabled, then in
an html page containing a mixture of JavaScript and VBScript code,
AppletTrap will not filter scripts that should have been filtered by policy
as long as these scripts appear after a script that is allowed by policy.
For example, if the policy is set to filter only VBScript and not
JavaScript, then in a page containing a JavaScript and a VBScript, the
VBScript will not be filtered as long as the JavaScript code comes first.
2) AppletTrap does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.
Version Tested
---------------
AppletTrap 2.0
Status and solution
--------------------
Trend Micro has confirmed these vulnerabilities and will address them in
version 2.5.
Discovered by eDvice on 11 July 2001.
http://www.edviceSecurity.com
Support@edviceSecurity.com
|
|
