Bypassing TrendMicro InterScan VirusWall Overview According to our tests, TrendMicro VirusWall can be bypassed when using : * HTTP 1.1 chunked transfert encoding. * HTTP 1.0 gzip content encoding for Windows platforms only. Description While HTTP/1.0 includes the Content-Encoding header, which indicates the end-to-end content-coding(s) used for a message, HTTP/1.1 adds the Transfer-Encoding header, which indicates the hop-by-hop transfer-coding(s) used for a message. Thus, compression can be done either as a content-encoding or as a transfer-encoding. The gzip Content Encoding Downloading a zipped file doesn't mean that the gzip content-encoding is used. In this case you will get a response where content-type is application/zip (see zip-file.txt trace). In the following examples, our web server is configured to use the gzip content-encoding. The Chunk Transfert Encoding With the HTTP 1.1 chunked transfert encoding, the sender breaks the message body into chunks of arbitrary length, and each chunk is sent with its length prepended. The chunked transfert encoding is used when the HTTP server does not known the response message length, which is always the case when using gzip compression. Proxy chaining may use HTTP 1.1 when : * your MS Internet Explorer is configured to use it (see advanced options) * your proxy chaining architecture requires HTTP 1.1 for perfomance issue Vulnerable systems * InterScan VirusWall 3.6 Readhat 7.0 is vurlnerable to chunk transfert encoding. * InterScan VirusWall 3.52 Windows is vurlnerable to both chunk transfert encoding and gzip content encoding. Impact Although TrendMicro Interscan Virsuwall 3.x is not supposed to support HTTP 1.1, malicous files are correctly blocked over HTTP1.1 without the chunked transfert encoding. So, many users are probably using HTTP 1.1, leaving their systems vulnerable to virus or trojan attacks. Windows users, may download any virus located on a web server that use the HTTP 1.0 gzip content encoding. Solutions * Use HTTP 1.0 for proxy chaining * According to TrendMicro, InterScan Virswall version 5 should support HTTP 1.1 Chunked Transfert Encoding and is not vulnerable. Test it If you are protected by TrendMicro InterScan Viruswall, you can test it on http://www.althes.fr/virustest/index.html Regards, Vincent Royer Althes. *---------------------------------------------------------------* * Cet e-mail et toutes les pièces jointes sont destinés aux * * seules personnes auxquelles ils sont spécifiquement adressés * * et n'engagent que le signataire de ces documents et non la * * structure dont il dépend. * * Leur existence et leur contenu ont un caractère confidentiel. * * Toute utilisation ou diffusion non autorisée est interdite. * * Si vous avez reçu cet e-mail ou si vous détenez sans en être * * le destinataire, nous vous demandons de bien vouloir nous en * * informer immédiatement. * * Cette note assure que ce message a été contrôlé et ne * * comprenait aucun virus connu à ce jour, néanmoins tout * * message électronique est susceptible d'altération. * * Nous déclinons toute responsabilité au titre de ce message * * s'il a été altéré, déformé ou falsifié. * *---------------------------------------------------------------*
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 09:13:57 PDT