Trend Micro InterScan VirusWall SMTP bug

From: aslat_private
Date: Mon Dec 27 1999 - 15:01:38 PST

Next message: Mudge: "L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1"

Previous message: Microsoft Product Security Response Team: "Third Party Software Affected by IIS "Escape Character Parsing" V"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                      Alcatel Security Advisory
                    InterScan VirusWall SMTP bug
                              12/27/99


Affected Systems
----------------
Trend Micro's InterScan VirusWall version 3.0.1 for Solaris.


Severity
--------
The NewApt Worm is currently exploiting this bug to avoid detection.


Synopsis
---------
By sending an SMTP message with a malformed attachment, it is possible
for malicious code to avoid detection by Trend Micro's InterScan SMTP
scanner version 3.0.1 for Solaris. Other versions may be affected as
well, but were not tested.


Description
-----------
RFC2045 describes the number of padding characters needed at the end
of a base64 encoded MIME attachment. InterScan VirusWall does not
properly handle incorrectly padded attachments. Upon receiving such
an attachment, InterScan fails to scan the attachment properly and
the message is allowed to pass through; however, InterScan does log
the following message to its system logs:

     base64: Unexpected EOF seen

Note: This modification of the padding does not appear to affect
mail clients such as Netscape Communicator.


Example
-------
We noticed this bug while testing the product with live viruses.
The NewApt Worm replicates by replying to emails in the victim's
mailbox. The above error message was a clear indication
that this particular attachment was problematic. It was determined
that an extra "=" character at the end of the base64 encoding was
the cause of the problem. Further investigation revealed that if
the correct number of "=" characters (as per RFC2045) were not
present, InterScan failed to catch the virus. This was tested
with several other viruses such as Melissa and Shankar.

To exploit this vulnerability, create a new message with the virus
of your choice attached. Save this message to your local disk.
Edit the message and add any number of "=" characters to the
end of the base64 encoded attachment. This message will now pass
through the InterScan VirusWall, and the virus will remain
undetected and intact.


Patch
-----
Trend Micro has posted a fix for this bug. The patch is can be
downloaded from the following URL:

http://www.antivirus.com/download/patches.htm

The patch is titled isvwsol301a_u2.tar


References
---------
Trend Micro
http://www.trend.com

RCF2045
ftp://ftp.isi.edu/in-notes/rfc2045.txt

NewApt Worm Advisory
http://vil.nai.com/vil/wm10475.asp

Next message: Mudge: "L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1"
Previous message: Microsoft Product Security Response Team: "Third Party Software Affected by IIS "Escape Character Parsing" V"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:55 PDT