Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Trend Micro ServerProtect Vendors:   Trend Micro
Trend Micro ServerProtect Stack Overflow in CMON_NetTestConnection() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017676
SecurityTracker URL:
CVE Reference:   CVE-2007-1070   (Links to External Site)
Date:  Feb 21 2007
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ServerProtect for Windows 5.58, ServerProtect for EMC 5.58, ServerProtect for Network Appliance Filer 5.61, ServerProtect for Network Appliance Filer 5.62
Description:   A vulnerability was reported in Trend Micro ServerProtect. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to trigger a stack overflow in the CMON_NetTestConnection() function and execute arbitrary code on the target system. The code will run with System level privileges

The 'StCommon.dll' and 'eng50.dll' components are affected.

The vendor was notified on January 19, 2007.

Pedram Amini of TippingPoint Security Research Team discovered these vulnerabilities.

The original advisories are available at:

Impact:   A remote user can execute arbitrary code on the target system with System level privileges.
Solution:   The vendor has issued a fix (Security Patch 1- Build 1171).

The Trend Micro advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000), Windows (2003)

Message History:   None.

 Source Message Contents

Subject:  TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow

TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow
February 20, 2007

-- CVE ID:

-- Affected Vendor:
Trend Micro

-- Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since January 16, 2007 by Digital Vaccine protection
filter ID 5050. For further product information on the TippingPoint IPS: 

-- Vulnerability Details:
These vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Trend Micro ServerProtect. Authentication
is not required to exploit these vulnerabilities.

The specific flaws exist within the StCommon.dll library and are
reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to
by the service SpntSvc.exe. The RPC endpoint is exposed from
TmRpcSrv.dll with the following IDL stub information:

    // opcode:  0x00, address: 0x65741030
    // uuid:    25288888-bd5b-11d1-9d53-0080c83a5c2c
    // version: 1.0
    error_status_t   rpc_opnum_0 (
     [in] handle_t  arg_1,
     [in] long  trend_req_num,
     [in][size_is(arg_4)] byte overflow_str[],
     [in] long  arg_4,
     [out][size_is(arg_6)] byte arg_5[],
     [in] long  arg_6

The upper half of the 'trend_req_num' DWORD RPC argument from above is
used within TmRpcSrv.dll as an index into a call table. It must
specifically be 0x000a which results in a call to StRpcSrv.65673970().
The original arguments to the RPC endpoint are then passed to this
called routine:

    657416E6     mov eax, opnum0_call_table[eax*4]
    657416ED     test eax, eax
    657416EF     jnz short loc_65741707
    65741707 loc_65741707:
    65741707     mov [ebp+var_4], 0
    6574170E     mov edx, [ebp+sizeof_arg5]
    65741711     push edx
    65741712     mov edx, [ebp+arg5_array]
    65741715     push edx
    65741716     mov edx, [ebp+sizeof_overflow_str]
    65741719     push edx
    6574171A     mov edx, [ebp+overflow_str]
    6574171D     push edx
    6574171E     push ecx       ; trend_req_num
    6574171F     call eax       ; call handler

The lower half of the 'trend_req_num' DWORD RPC argument is then used
within StRpcSrv.dll as an index into a second call table. The value of
this lower half controls the code flow to the following vulnerabilities
and is hereto referred to as the 'subcode'.

--[ Vulnerability One
A subcode value of either 0x0011 or 0x0017 results in the following

    65674D7F push ebx   ; overflow_str
    65674D80 call CMON_NetTestConnection

A stack overflow occurs within the routine CMON_NetTestConnection() due
to an unbounded widechar wsprintf() into a 44 byte stack based buffer as
shown in the following relevant excerpt:

    65634AC5 xor ecx, ecx
    65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer
    65634ACB mov cx, [eax]
    65634ACE push ecx
    65634ACF push ebx                 ; 1st arg
    65634AD0 push offset str_SC       ; "\\\\%s\\%c$"
    65634AD5 push edx                 ; LPWSTR
    65634AD6 call ds:wsprintfW        ; vuln!

--[ Vulnerability Two
A subcode value of either 0x0008 or 0x0009 results in calls to
CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of
these routines subsequently call StCommon.65631220() which can result
in a stack overflow due to an unbounded widechar lstrcat() into a 2k
stack-based buffer as shown in the following relevant excerpt:

    65631311 lea edx, [esp+0A78h+buf]
    65631318 push ebp                 ; lpString2
    65631319 push edx                 ; lpString1
    6563131A call ebx ; lstrcatW      ; stack overflow

The resulting stack overflows can be leveraged to execute arbitrary
code under the privileges of the SYSTEM user. 

-- Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:

-- Disclosure Timeline:
2007.01.16 - Digital Vaccine released to TippingPoint customers
2007.01.19 - Vulnerability reported to vendor
2007.02.20 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Pedram Amini,
TippingPoint Security Research Team.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC