[SNS Advisory No.31] Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll Buffer Overflow Vulnerability

From: SNS Advisory (snsadvat_private)
Date: Tue Jun 12 2001 - 21:44:06 PDT

Next message: Matt Watchinski: "Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"

Previous message: Crispin Cowan: "Re: Announcing RSX - non exec stack/heap module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SNS Advisory No.31
Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll
Buffer Overflow Vulnerability

Problem first discovered: 30 May 2001
Published: 13 Jun 2001 
Last Updated: 13 Jun 2001 
----------------------------------------------------------------------

Overview
---------
A buffer overflow vulnerability was found in administrative programs,
FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows NT.
It allows a remote user to execute an arbitrary command with SYSTEM
privilege.

Problem Description
--------------------
If long strings are included in a certain parameter of configuration by
exploitation of the vulnerability that was reported by SNS Advisory
No.28, a buffer overflow occurs when viewing following dll(s):

  http://server/interscan/cgi-bin/FtpSaveCSP.dll
  http://server/interscan/cgi-bin/FtpSaveCVP.dll

A buffer overflow occurs with following dump(Japanese version):

  00F9FC04  4F 50 50 50 51 51  OPPPQQ
  00F9FC0A  51 52 52 52 53 53  QRRRSS
  00F9FC10  53 54 54 54 55 55  STTTUU
  00F9FC16  55 56 61 62 63 64  UVabcd
  00F9FC1C  57 58 58 58 59 59  WXXXYY
  00F9FC22  59 5A 5A 5A 61 61  YZZZaa
  00F9FC28  61 61 61 61 61 61  aaaaaa
  00F9FC2E  61 61 61 61 61 61  aaaaaa

register:

  EAX = 00F9FC1C  EIP = 64636261

Therefore, arbitrary code may be executed by calling eax, replaced a 
value with attacker supplied arbitrary address.
Combined with the vulnerability of ftpsave.dll in SNS Advisory No.28, a
remote user can easily launch an attack.

Tested version
---------------
  InterScan VirusWall for Windows NT 3.51J build 1321 Japanese
  InterScan VirusWall for Windows NT 3.51  build 1321 English

Tested on
----------
  Windows NT Server 4.0 SP6a Japanese
  Windows NT Server 4.0 SP6a English

Fix information
---------------
Trend Micro Japanese support team responded nothing. 
Until the patch will be released, set up access control to refuse access
to servers in which InterScan VirusWall is installed by non-administrative
user.

Discovered by
--------------
Nobuo Miwa (LAC / n-miwaat_private)

Disclaimer
-----------
All information in this advisories are subject to change without any 
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.

References
----------
Archive of this advisory:
	http://www.lac.co.jp/security/english/snsadv_e/31_e.html

SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote
configuration Vulnerability)

	http://www.lac.co.jp/security/english/snsadv_e/28_e.html

SNS Advisory:
	http://www.lac.co.jp/security/english/snsadv_e/

LAC:
	http://www.lac.co.jp/security/english/

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: Matt Watchinski: "Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Previous message: Crispin Cowan: "Re: Announcing RSX - non exec stack/heap module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 12:06:14 PDT