SNS Advisory No.31 Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll Buffer Overflow Vulnerability Problem first discovered: 30 May 2001 Published: 13 Jun 2001 Last Updated: 13 Jun 2001 ---------------------------------------------------------------------- Overview --------- A buffer overflow vulnerability was found in administrative programs, FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows NT. It allows a remote user to execute an arbitrary command with SYSTEM privilege. Problem Description -------------------- If long strings are included in a certain parameter of configuration by exploitation of the vulnerability that was reported by SNS Advisory No.28, a buffer overflow occurs when viewing following dll(s): http://server/interscan/cgi-bin/FtpSaveCSP.dll http://server/interscan/cgi-bin/FtpSaveCVP.dll A buffer overflow occurs with following dump(Japanese version): 00F9FC04 4F 50 50 50 51 51 OPPPQQ 00F9FC0A 51 52 52 52 53 53 QRRRSS 00F9FC10 53 54 54 54 55 55 STTTUU 00F9FC16 55 56 61 62 63 64 UVabcd 00F9FC1C 57 58 58 58 59 59 WXXXYY 00F9FC22 59 5A 5A 5A 61 61 YZZZaa 00F9FC28 61 61 61 61 61 61 aaaaaa 00F9FC2E 61 61 61 61 61 61 aaaaaa register: EAX = 00F9FC1C EIP = 64636261 Therefore, arbitrary code may be executed by calling eax, replaced a value with attacker supplied arbitrary address. Combined with the vulnerability of ftpsave.dll in SNS Advisory No.28, a remote user can easily launch an attack. Tested version --------------- InterScan VirusWall for Windows NT 3.51J build 1321 Japanese InterScan VirusWall for Windows NT 3.51 build 1321 English Tested on ---------- Windows NT Server 4.0 SP6a Japanese Windows NT Server 4.0 SP6a English Fix information --------------- Trend Micro Japanese support team responded nothing. Until the patch will be released, set up access control to refuse access to servers in which InterScan VirusWall is installed by non-administrative user. Discovered by -------------- Nobuo Miwa (LAC / n-miwaat_private) Disclaimer ----------- All information in this advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/31_e.html SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote configuration Vulnerability) http://www.lac.co.jp/security/english/snsadv_e/28_e.html SNS Advisory: http://www.lac.co.jp/security/english/snsadv_e/ LAC: http://www.lac.co.jp/security/english/ ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadvat_private> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 12:06:14 PDT