Various problems in Ternd Micro AppletTrap Script filtering

From: eDvice Security Services (supportat_private)
Date: Sun Jul 29 2001 - 02:13:01 PDT

Previous message: Steven Evans: "RE: bug w2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sunday 29 July 2001

Various problems in Ternd Micro AppletTrap Script filtering
===========================================================

This is a different advisory than the one we posted on July 9
(http://archives.neohapsis.com/archives/bugtraq/2001-07/0129.html).

Product Background
------------------
Trend Micro Applet Trap is a product for blocking malicious Java applets,
malicious JavaScript and unsecured ActiveX controls at the gateway. The
product includes an option for URL filtering.

Scope
------
eDvice recently conducted a test of AppletTrap's ability to filter Scripts
at the gateway. AppletTrap includes the ability to filter script languages
(JavaScript, VBScript, and/or all other HTML script languages) from HTML
code.

The Findings
--------------
AppletTrap includes some design and implementation flaws, which allow an
attacker to bypass restrictions set by the product administrator and
introduce malicious code into an organization.

Details
---------
We found two problems with AppletTrap's Script filtering mechanism:

1) If only JavaScript or VBScript (not both) filtering is enabled, then in
an html page containing a mixture of JavaScript and VBScript code,
AppletTrap will not filter scripts that should have been filtered by policy
as long as these scripts appear after a script that is allowed by policy.
For example, if the policy is set to filter only VBScript and not
JavaScript, then in a page containing a JavaScript and a VBScript, the
VBScript will not be filtered as long as the JavaScript code comes first.

2) AppletTrap does not recognize and does not filter scripting tags
constructed using extended Unicode notation. This is the same problem we
reported in http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
(see also http://www.securityfocus.com/bid/2801) for a different product.

Version Tested
---------------
AppletTrap 2.0

Status and solution
--------------------
Trend Micro has confirmed these vulnerabilities and will address them in
version 2.5.


Discovered by eDvice on 11 July 2001.
http://www.edviceSecurity.com
Supportat_private

Next message: dave: "RE: bug w2k"
Previous message: Steven Evans: "RE: bug w2k"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 01:21:50 PDT