SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Trend Micro OfficeScan Vendors:   Trend Micro
Trend Micro OfficeScan Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1005782
SecurityTracker URL:  http://securitytracker.com/id/1005782
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 10 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.02
Description:   A buffer overflow vulnerability was reported in Trend Micro's OfficeScan Corporate Edition. A local user could execute arbitrary code, possibly to gain elevated privileges.

Texonet reported that there is a buffer overflow in pop3trap.exe. According to the report, a local user could connect to the local port 110 and send a specially crafted string to trigger the overflow and overwrite the EIP register. This could cause arbitrary code to be executed with the privileges of the user running pop3trap.exe.

Some demonstration exploit examples are provided:

Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

Example 2: http://127.0.0.1:110/[put 1100 a's here]

Impact:   A local user can execute arbitrary code with the privileges of the user running OfficeScan.
Solution:   The vendor has released a fix for users of OfficeScan Corporate Edition:

1. Check and make sure that you have upgraded or are using OfficeScan 5.02 or latest version. The latest OfficeScan installation package can be downloaded from www.trendmicro.com at:

http://www.trendmicro.com/download/product.asp?productid=5

2. Download the pop3hf.zip and refer to the included release notes for complete installation instructions:

pop3hf.zip (For English), 153.6KB :

http://solutionfile.trendmicro.com/SolutionFile/12982/en/pop3hf.zip

German, French, Spanish and Italian versions of the Hotfix against the buffer overflow vulnerability, can be found in Solution 13009:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=13009

For additional information, see the Vendor's advisory at:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982

Vendor URL:  kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Unchecked buffer in PC-cillin


------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

----------------------------------------------------------------------------
-
Texonet Security Advisory 20021210
----------------------------------------------------------------------------
-
Advisory ID    : TEXONET-20021210
Authors        : Joel Soderberg and Christer Oberg (advisories@texonet.com)
Issue date     : 12-10-2002
Application    : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s)     : 2000, 2002 and 2003
Platforms      : Windows 98/ME/2000/XP
Availability   : http://www.texonet.com/advisories/TEXONET-20021210.txt
----------------------------------------------------------------------------
-


Problem:
----------------------------------------------------------------------------
-
PC-cillin has an unchecked buffer in pop3trap.exe


Description:
----------------------------------------------------------------------------
-
PC-cillin comes with a mail scanning feature that scans all incoming mail
for
viruses, this is accomplished by connecting the mail client to a local
service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes
it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.

Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

Example 2: http://127.0.0.1:110/[put 1100 a's here]



Workaround:
----------------------------------------------------------------------------
-
Download the appropriate Service Pack from:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982


Disclosure Timeline:
----------------------------------------------------------------------------
-
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public


About Texonet:
----------------------------------------------------------------------------
-
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
----------------------------------------------------------------------------
-
E-mail:    advisories@texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611


------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
	name="TEXONET-20021210.txt"
Content-Transfer-Encoding: 8bit            
Content-Disposition: attachment;
	filename="TEXONET-20021210.txt"

-----------------------------------------------------------------------------
Texonet Security Advisory 20021210
-----------------------------------------------------------------------------
Advisory ID    : TEXONET-20021210 
Authors        : Joel Soderberg and Christer Oberg (advisories@texonet.com)
Issue date     : 12-10-2002
Application    : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s)     : 2000, 2002 and 2003
Platforms      : Windows 98/ME/2000/XP
Availability   : http://www.texonet.com/advisories/TEXONET-20021210.txt
-----------------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------------
PC-cillin has an unchecked buffer in pop3trap.exe


Description:
-----------------------------------------------------------------------------
PC-cillin comes with a mail scanning feature that scans all incoming mail for
viruses, this is accomplished by connecting the mail client to a local service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service 
is pop3trap.exe. Connecting to the local port 110 and sending a lot of 
characters will crash the program with a direct hit on the EIP, this makes it 
possible to run malicious code. The code will be run using the privileges of 
the user owning the pop3trap.exe process.

Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

Example 2: http://127.0.0.1:110/[put 1100 a's here]



Workaround:
-----------------------------------------------------------------------------
Download the appropriate Service Pack from:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982


Disclosure Timeline:
-----------------------------------------------------------------------------
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations 
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public


About Texonet:
-----------------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration 
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------------
E-mail:    advisories@texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611

------=_NextPart_000_006F_01C2A044.5313C4E0--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC