[SNS Advisory No.36] TrendMicro InterScan WebManager Version 1.2 HttpSave.dll Buffer Overflow Vulnerability

From: snsadvat_private
Date: Sun Jul 01 2001 - 23:16:08 PDT

Next message: TAKAGI, Hiromitsu: "Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability"

Previous message: aliasat_private: "phpMyAdmin 2.1.0 + world readable (apache) log files enable remote user to run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----------------------------------------------------------------------
SNS Advisory No.36
TrendMicro InterScan WebManager Version 1.2 HttpSave.dll Buffer Overflow
Vulnerability

Problem first discovered: Mon, 11 Jun 2001
Published: Mon, 2 Jul 2001
----------------------------------------------------------------------

Overview
---------
  Trend Micro InterScan WebManager is a software which provides 
  malicious mobile code protection, URL filtering and traffic management.
  A buffer overflow vulnerability exists in HttpSave.dll which is used as 
  web management console feature in InterScan WebManager version 1.2.
  This problem can allow remote users to execute arbitrary commands with
  SYSTEM privilege.

Problem Description
-------------------
  InterScan WebManager has a feature which provides management web 
  console. HttpSave.dll which is used for this feature has a buffer overflow
  when long value is given to a certain parameter.

  A buffer overflow occurs in the following dump:

  00ECFAF0  4F 4F 4F 4F  OOOO
  00ECFAF4  50 50 50 50  PPPP
  00ECFAF8  51 51 51 51  QQQQ
  00ECFAFC  52 52 52 52  RRRR
  00ECFB00  53 53 53 53  SSSS
  00ECFB04  54 54 54 54  TTTT

  EAX = 00ECFAF4
  EIP = 4F4F4F4F

  Therefore, arbitrary code which is addressed 00ECFAF4 may be executed
  by calling eax.

Tested Version
--------------
  TrendMicro InterScan WebManager Version 1.2

Tested on
---------
  Microsoft Windows NT Server 4.0 + SP6a [English]

Status of fixes
---------------
  No patches are available at this moment. Trend Micro support team
  responded that this problem would be fixed on the next version of
  WebManager. Until the patch is released, we recommend restrict
  access to servers.

Discovered by
-------------
  ARAI Yuu (LAC)  y.araiat_private

Disclaimer
----------
  All information in these advisories are subject to change without any 
  advanced notices neither mutual consensus, and each of them is
  released as it is. LAC Co.,Ltd. is not responsible for any risks of
  occurrences caused by applying those information.

References
----------
  Archive of this advisory:
	http://www.lac.co.jp/security/english/snsadv_e/36_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: TAKAGI, Hiromitsu: "Multiple Vendor Java Servlet Container Cross-Site Scripting Vulnerability"
Previous message: aliasat_private: "phpMyAdmin 2.1.0 + world readable (apache) log files enable remote user to run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 08:35:52 PDT