TrendMicro InterScan VirusWall Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1009550
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 24 2004
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Advisory: Sentry Union
|
Version(s): 3.5
|
Description: Tri Huynh from SentryUnion reported a vulnerability in TrendMicro's InterScan VirusWall. A remote user can view files located on the target system.
It is reported that the built in web proxy service does not properly validate user-supplied input. A remote user can supply a specially
crafted URL containing '../' directory traversal characters to view arbitrary files on the target system with the privileges of
InterScan VirusWall.
Some demonstration exploit URLs are provided:
http://[target]:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
http://[target]:8080/ishttpd
/localweb/java/?/../../../../../../../../autoexec.bat
The vendor has reportedly been notified without response.
|
Impact: A remote user can view files on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.trendmicro.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
Underlying OS Comments: Confirmed on Windows
|
Reported By: "Tri Huynh" <trihuynh@zeeup.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Mar 2004 07:11:24 -0800
From: "Tri Huynh" <trihuynh@zeeup.com>
Subject: TrendMacro Interscan Viruswall Directory Traversal
|
TrendMacro Interscan Viruswall Directory Traversal
=================================================
PROGRAM: TrendMacro Interscan Viruswall
HOMEPAGE: http://www.trendmicro.com
VULNERABLE VERSIONS: - 3.5x (Windows)
- Unix/Solaris version is
not tested but possibly
vulnerable
DESCRIPTION
=================================================
InterScan VirusWall provides intelligent content scanning
to prevent virus outbreaks. It blocks spam, non-business
related messages, and attachments to protect enterprise
network and business integrity.
DETAILS
=================================================
Interscan Web Viruswall, a part of Interscan Viruswall package, is a web
proxy/gateway service that has a responsibility to scan virus
"on-the-fly" before it reach the user browser. In Interscan
Web Viruswall, there is a builtin mechanism that
allows anybody to read files at the /ishttp/localweb directory by using
such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs
point to
different directories (except sub-directories of "localweb") won't
trigger the
mechanism and will be forwarded to the proxy which the service
is set up to. The reason there such a "feature" is because Interscan
Web Viruswall has another feature (not turned on by default) called
TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip)
to allow user to see the scanning process. Unfortunately, that built-in
mini
webserver has a directory traversal problem. By using such an URL like
this,
an evil genius ;-) can access to files outside the
localweb directory:
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
will download the service executable file or
http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat
will download the autoexec.bat file in the root directory.
WORKAROUND
=================================================
Administrators should be aware that even the TeleWindow feature is not
turned on, the vulnerability can sill be exploited since the
mini-webserver is hardcoded and it can't be turned off by using the
configuration
interface.
Apply the patch from TrendMacro or temporarily stop using the Interscan
Web Viruswall until the patch is issued.
Update: The technical support email virus_doctor@trendmacro.com was
sent an email concern about this problem. However, it has been 6 days
and we haven't received any reponses yet.
CREDITS
=================================================
Discovered by Tri Huynh from SentryUnion
DISLAIMER
=================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
FEEDBACK
=================================================
Please send suggestions, updates, and comments to: trihuynh@zeeup.com
|
|
