SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Trend Micro Antivirus Vendors:   Trend Micro
Trend Micro Antivirus Format String Bug in Processing UUE Files Lets Remote Users Deny Service
SecurityTracker Alert ID:  1019079
SecurityTracker URL:  http://securitytracker.com/id/1019079
CVE Reference:   CVE-2007-6386   (Links to External Site)
Updated:  Dec 18 2007
Original Entry Date:  Dec 11 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Trend Micro AntiVirus plus AntiSpyware - 2008, Trend Micro Internet Security - 2008, Trend Micro Internet Security Pro - 2008
Description:   A vulnerability was reported in Trend Micro Antivirus. A remote user can cause denial of service conditions.

A remote user can create a specially crafted '.uue' file that, when processed by the target application, will trigger a format string bug and cause the application to crash.

The report indicates that code execution may be possible but was not confirmed.

English Versions of TIS16 (Trend Micro Internet Security Pro, Trend Micro Internet Security/Virus Buster 2008) and TAV16 (TrendMicro Antivirus plus AntiSpyware 2008) build #1450 and older are affected.

The vendor was notified on November 12, 2007.

Sowhat of Nevis Labs reported this vulnerabilitly.

The original advisory is available at:

http://secway.org/advisory/AD20071211.txt

Impact:   A remote user can create a file that, when processed by the target application, will cause the target application to crash.
Solution:   The vendor has issued a fix (build 1451). The patch is available at:

http://solutionfile.trendmicro.com/solutionfile/1036464/EN/tis_160_win_en_patch_pccscan1451.exe

The Trend Micro advisory is available at:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464

Vendor URL:  esupport.trendmicro.com/support/viewxml.do?ContentID=1036464 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] TrendMicro AntiVirus UUE Processing Vulnerability

--===============0474365303==
Content-Type: multipart/alternative; 
	boundary="----=_Part_16714_11397278.1197388477229"

------=_Part_16714_11397278.1197388477229
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

TrendMicro AntiVirus UUE Processing Vulnerability


Sowhat of Nevis Labs
http://www.nevisnetworks.com
http://secway.org/advisory/AD20071211.txt


Vendor:
TrendMicro


Affected:
TrendMicro Antivirus prior to PccScan.dll build 1451
This vulnerability has been confirmed on TrendMicro Antivirus and
Antispyware 20008
(PccScan.dll build 1450).



Details:

There is a vulnerability in TrendMicro Antivirus, which allows an attacker
to escalate to SYSTEM privilege, Denial of service, or potential execute
arbitrary
code (not confirmed yet).

While decoding the .uue file., TrendMicro Antivirus will create a .zip file,

by manipulating the .uue file, we can make the TrendMicro AV generate a .zip
file
which contains a long file name.

Due to the incorrect usage of wcsncpy_s() API while PccScan.dll is trying to
copy
this long file name into a static buffer, the SfCtlCom.exe will crash.

Because SfCtlCom.exe is running under SYSTEM privilege, local privilege is
possible
in some cases, e.g. there is a just-in-time debugger presented.

The remote exploitability has not been confirmed yet.

And also, According to the vendor:
"malformed UUE is not necessary, just a malformed zip file is enough"

So this vulnerability should be called as a ".ZIP processing vulnerability",
not .UUE

The vulnerability can be exploited remotely, by sending Email or convince
the
victim visit attacker controlled website. Or can be exploited locally to
gain the
SYSTEM privilege.


Vendor Response:

2007.11.12    Vendor notified through several email address.
2007.11.13    Auto-Response from the support.
2007.11.13    Get the right person by sending emails to FD
2007.11.23    Patch available
2007.12.05    Patch planned on 5th, Dec
2007.12.06    Patch delayed to 7th, Dec
2007.12.11    Patch released by the vendor
2007.12.11    Advisory released.

Reference:
1. http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464
2. http://secway.org/advisory/AD20071116.txt
3. http://groups.google.com/group/vulnhashdb



-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

------=_Part_16714_11397278.1197388477229
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

TrendMicro AntiVirus UUE Processing Vulnerability<br><br><br>Sowhat of Nevis Labs<br><a href="http://www.nevisnetworks.com">http://www.nevisnetworks.com</a><br><a
 href="http://secway.org/advisory/AD20071211.txt">http://secway.org/advisory/AD20071211.txt
</a><br><br><br>Vendor:<br>TrendMicro<br><br><br>Affected:<br>TrendMicro Antivirus prior to PccScan.dll build 1451<br>This vulnerability
 has been confirmed on TrendMicro Antivirus and Antispyware 20008<br>(PccScan.dll build 1450).
<br><br><br><br>Details:<br><br>There is a vulnerability in TrendMicro Antivirus, which allows an attacker<br>to escalate to SYSTEM
 privilege, Denial of service, or potential execute arbitrary <br>code (not confirmed yet).
<br><br>While decoding the .uue file., TrendMicro Antivirus will create a .zip file, <br>by manipulating the .uue file, we can make
 the TrendMicro AV generate a .zip file<br>which contains a long file name.<br><br>Due to the incorrect usage of wcsncpy_s() API while
 
PccScan.dll is trying to copy <br>this long file name into a static buffer, the SfCtlCom.exe will crash.<br><br>Because SfCtlCom.exe
 is running under SYSTEM privilege, local privilege is possible<br>in some cases, e.g. there is a just-in-time debugger presented.
<br><br>The remote exploitability has not been confirmed yet.<br><br>And also, According to the vendor:<br>&quot;malformed UUE is
 not necessary, just a malformed zip file is enough&quot;<br><br>So this vulnerability should be called as a &quot;.ZIP processing
 vulnerability&quot;, not .UUE
<br><br>The vulnerability can be exploited remotely, by sending Email or convince the <br>victim visit attacker controlled website.
 Or can be exploited locally to gain the <br>SYSTEM privilege.<br><br><br>Vendor Response:
<br><br>2007.11.12&nbsp;&nbsp;&nbsp; Vendor notified through several email address.<br>2007.11.13&nbsp;&nbsp;&nbsp; Auto-Response
 from the support.<br>2007.11.13&nbsp;&nbsp;&nbsp; Get the right person by sending emails to FD<br>2007.11.23&nbsp;&nbsp;&nbsp; Patch
 available<br>2007.12.05
&nbsp;&nbsp;&nbsp; Patch planned on 5th, Dec<br>2007.12.06&nbsp;&nbsp;&nbsp; Patch delayed to 7th, Dec<br>2007.12.11&nbsp;&nbsp;&nbsp;
 Patch released by the vendor<br>2007.12.11&nbsp;&nbsp;&nbsp; Advisory released.<br><br>Reference:<br>1. <a href="http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464">
http://esupport.trendmicro.com/support/viewxml.do?ContentID=1036464</a><br>2. <a href="http://secway.org/advisory/AD20071116.txt">http://secway.org/advisory/AD20071116.txt</a><br>3.
 <a href="http://groups.google.com/group/vulnhashdb">
http://groups.google.com/group/vulnhashdb</a><br><br><br clear="all"><br>-- <br>Sowhat<br><a href="http://secway.org">http://secway.org</a><br>&quot;Life
 is like a bug, Do you know how to exploit it ?&quot;<br><br>

------=_Part_16714_11397278.1197388477229--


--===============0474365303==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0474365303==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC