SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   InterScan VirusWall Vendors:   Trend Micro
Trend Micro's InterScan VirusWall Server Has Another Vulnerability - This One Lets Remote Users Execute Arbitrary Commands on the Server with System Level Privileges
SecurityTracker Alert ID:  1001741
SecurityTracker URL:  http://securitytracker.com/id/1001741
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 13 2001
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): InterScan VirusWall for Windows NT 3.51J build 1321 Japanese, InterScan VirusWall for Windows NT 3.51 build 1321 English
Description:   SNS reported yet another vulnerability in Trend Micro's InterScan VirusWall anti-virus gateway. This vulnerability allows remote users to execute arbitrary code on the server and obtain system level privileges on the server.

The vulnerability is reportedly due to a buffer overflow in two administrative programs: FtpSaveCSP.dll and FtpSaveCVP.dll.

If long strings are included in a certain configuration parameter, the vulnerability will be triggered when the remote user views following dll(s):

http://server/interscan/cgi-bin/FtpSaveCSP.dll
http://server/interscan/cgi-bin/FtpSaveCVP.dll

It is reported that arbitrary code may be executed.

The vendor has reportedly been contacted.
Impact:   A remote user can exuecte arbitrary code on the server and obtain system level privileges on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.trendmicro.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (NT)

Message History:   None.

 Source Message Contents
Date:  Wed, 13 Jun 2001 13:44:06 +0900
Subject:  [SNS Advisory No.31] Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll Buffer Overflow Vulnerability


SNS Advisory No.31
Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll
Buffer Overflow Vulnerability

Problem first discovered: 30 May 2001
Published: 13 Jun 2001 
Last Updated: 13 Jun 2001 
----------------------------------------------------------------------

Overview
---------
A buffer overflow vulnerability was found in administrative programs,
FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows NT.
It allows a remote user to execute an arbitrary command with SYSTEM
privilege.

Problem Description
--------------------
If long strings are included in a certain parameter of configuration by
exploitation of the vulnerability that was reported by SNS Advisory
No.28, a buffer overflow occurs when viewing following dll(s):

  http://server/interscan/cgi-bin/FtpSaveCSP.dll
  http://server/interscan/cgi-bin/FtpSaveCVP.dll

A buffer overflow occurs with following dump(Japanese version):

  00F9FC04  4F 50 50 50 51 51  OPPPQQ
  00F9FC0A  51 52 52 52 53 53  QRRRSS
  00F9FC10  53 54 54 54 55 55  STTTUU
  00F9FC16  55 56 61 62 63 64  UVabcd
  00F9FC1C  57 58 58 58 59 59  WXXXYY
  00F9FC22  59 5A 5A 5A 61 61  YZZZaa
  00F9FC28  61 61 61 61 61 61  aaaaaa
  00F9FC2E  61 61 61 61 61 61  aaaaaa

register:

  EAX = 00F9FC1C  EIP = 64636261

Therefore, arbitrary code may be executed by calling eax, replaced a 
value with attacker supplied arbitrary address.
Combined with the vulnerability of ftpsave.dll in SNS Advisory No.28, a
remote user can easily launch an attack.

Tested version
---------------
  InterScan VirusWall for Windows NT 3.51J build 1321 Japanese
  InterScan VirusWall for Windows NT 3.51  build 1321 English

Tested on
----------
  Windows NT Server 4.0 SP6a Japanese
  Windows NT Server 4.0 SP6a English

Fix information
---------------
Trend Micro Japanese support team responded nothing. 
Until the patch will be released, set up access control to refuse access
to servers in which InterScan VirusWall is installed by non-administrative
user.

Discovered by
--------------
Nobuo Miwa (LAC / n-miwa@lac.co.jp)

Disclaimer
-----------
All information in this advisories are subject to change without any 
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.

References
----------
Archive of this advisory:
	http://www.lac.co.jp/security/english/snsadv_e/31_e.html

SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote
configuration Vulnerability)

	http://www.lac.co.jp/security/english/snsadv_e/28_e.html

SNS Advisory:
	http://www.lac.co.jp/security/english/snsadv_e/

LAC:
	http://www.lac.co.jp/security/english/

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC