TrendMicro InterScan WebManager Version 1.2 RegGo.dll Buffer Overflow Vulnerability

From: snsadvat_private
Date: Thu Jun 21 2001 - 03:28:50 PDT

Next message: zen-parseat_private: "LPRng + tetex tmpfile race - uid lp exploit"

Previous message: 3APA3A: "SECURITY.NNOV: KAV (AVP) for sendmail format string vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----------------------------------------------------------------------
SNS Advisory No.33
TrendMicro InterScan WebManager Version 1.2 RegGo.dll Buffer Overflow
Vulnerability

Problem first discovered: Wed, 06 Jun 2001
Published: Thr, 21 Jun 2001
Published: Thr, 21 Jun 2001
----------------------------------------------------------------------

Overview
---------
  Trend Micro InterScan WebManager is a software which provides 
  malicious mobile code protection, URL filtering and traffic management.
  A buffer overflow vulnerability exists in RegGo.dll which is used as 
  web management console feature in InterScan WebManager version 1.2.
  This problem can allow remote users to execute arbitrary commands with
  SYSTEM privilege.

Problem Description
-------------------
  InterScan WebManager has a feature which provides management web 
  console. RegGo.dll which is used for this feature has a buffer overflow
  vulnerability when long parameter was given.

  A buffer overflow occurs with the following dump:

  00F0FC6C  42 42 42 42  BBBB
  00F0FC70  43 43 43 43  CCCC
  00F0FC74  44 44 44 44  DDDD
  00F0FC78  45 45 45 45  EEEE

  EAX = 00F0FC6C
  EIP = 41414141

  Therefore, arbitrary code which is addressed 00F0FC6C may be executed
  by calling eax.

Tested Version
--------------
  TrendMicro InterScan WebManager Version 1.2

Tested on
---------
  Microsoft Windows NT Server 4.0 + SP6a [English]

Status of fixes
---------------
  No patches are available at this momen. Trend Micro support team 
  responded that this problem would be fixed on next version of 
  WebManager. But they didn't provide any further information in detail.
  Until the patch is released, restrict access to refuse access to
  servers which WebManager had installed.

Discovered by
-------------
  ARAI Yuu (LAC)  y.araiat_private

Disclaimer
----------
  All information in this advisories are subject to change without any 
  advanced notices neither mutual consensus, and each of them is
  released as it is. LAC Co.,Ltd. is not responsible for any risks of
  occurrences caused by applying those information.

References
----------
  Archive of this advisory:
	http://www.lac.co.jp/security/english/snsadv_e/33_e.html

  SNS Advisory:
	http://www.lac.co.jp/security/english/snsadv_e/

  LAC:
	http://www.lac.co.jp/security/english/

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: zen-parseat_private: "LPRng + tetex tmpfile race - uid lp exploit"
Previous message: 3APA3A: "SECURITY.NNOV: KAV (AVP) for sendmail format string vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 16:11:17 PDT