Date: Wed, 13 Jun 2001 13:44:06 +0900
From: SNS Advisory <[email protected]>
To: BUGTRAQ <[email protected]>
Subject: [SNS Advisory No.31] Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll Buffer Overflow Vulnerability
SNS Advisory No.31
Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll
Buffer Overflow Vulnerability
Problem first discovered: 30 May 2001
Published: 13 Jun 2001
Last Updated: 13 Jun 2001
----------------------------------------------------------------------
Overview
---------
A buffer overflow vulnerability was found in administrative programs,
FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows NT.
It allows a remote user to execute an arbitrary command with SYSTEM
privilege.
Problem Description
--------------------
If long strings are included in a certain parameter of configuration by
exploitation of the vulnerability that was reported by SNS Advisory
No.28, a buffer overflow occurs when viewing following dll(s):
http://server/interscan/cgi-bin/FtpSaveCSP.dllhttp://server/interscan/cgi-bin/FtpSaveCVP.dll
A buffer overflow occurs with following dump(Japanese version):
00F9FC04 4F 50 50 50 51 51 OPPPQQ
00F9FC0A 51 52 52 52 53 53 QRRRSS
00F9FC10 53 54 54 54 55 55 STTTUU
00F9FC16 55 56 61 62 63 64 UVabcd
00F9FC1C 57 58 58 58 59 59 WXXXYY
00F9FC22 59 5A 5A 5A 61 61 YZZZaa
00F9FC28 61 61 61 61 61 61 aaaaaa
00F9FC2E 61 61 61 61 61 61 aaaaaa
register:
EAX = 00F9FC1C EIP = 64636261
Therefore, arbitrary code may be executed by calling eax, replaced a
value with attacker supplied arbitrary address.
Combined with the vulnerability of ftpsave.dll in SNS Advisory No.28, a
remote user can easily launch an attack.
Tested version
---------------
InterScan VirusWall for Windows NT 3.51J build 1321 Japanese
InterScan VirusWall for Windows NT 3.51 build 1321 English
Tested on
----------
Windows NT Server 4.0 SP6a Japanese
Windows NT Server 4.0 SP6a English
Fix information
---------------
Trend Micro Japanese support team responded nothing.
Until the patch will be released, set up access control to refuse access
to servers in which InterScan VirusWall is installed by non-administrative
user.
Discovered by
--------------
Nobuo Miwa (LAC / [email protected])
Disclaimer
-----------
All information in this advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
References
----------
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/31_e.html
SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote
configuration Vulnerability)
http://www.lac.co.jp/security/english/snsadv_e/28_e.html
SNS Advisory:
http://www.lac.co.jp/security/english/snsadv_e/
LAC:
http://www.lac.co.jp/security/english/
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <[email protected]>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
