Bugtraq mailing list archives
Trend Micro InterScan VirusWall Remote Overflow
From: seclabs () NAI COM (NAI Labs)
Date: Thu, 4 May 2000 12:05:10 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________ Network Associates, Inc. COVERT Labs Security Advisory May 4, 2000 Trend Micro InterScan VirusWall Remote Overflow ______________________________________________________________________ o Synopsis An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon. RISK FACTOR: HIGH ______________________________________________________________________ o Vulnerable Systems InterScan VirusWall for Windows NT versions prior to and including version 3.32 are vulnerable. ______________________________________________________________________ o Vulnerability Information InterScan VirusWall provides an SMTP gateway which scans all inbound and outbound mail traffic for viruses before forwarding it to an SMTP server. The SMTP gateway implements analysis of standard UU encoding which is used for transmitting binary files over transmission mediums only supporting simple ASCII data. A standard UU encoded file contains a final file name to which the encoded data should be written to. Due to an implementation fault in VirusWall's handling of this file name it is possible for a remote attacker to specify an arbitrarily long string overwriting the stack with user defined data. A filename greater than 128 bytes will allow a remote attacker to execute arbitrary code. Creation of a specially crafted filename allows remote shell access with the privileges of the VirusWall daemon, under Windows NT this is the SYSTEM account. ______________________________________________________________________ o Resolution Trend Micro has corrected this problem in InterScan VirusWall for Windows NT Version 3.4, which is currently available as a beta from: ftp://ftp.antivirus.com/products/beta/ ______________________________________________________________________ o Credits The discovery and documentation of this vulnerability was conducted by Barnaby Jack with the COVERT Labs at PGP Security, a Network Associates business. ______________________________________________________________________ o Contact Information For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to covert () nai com ______________________________________________________________________ o Legal Notice The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBORHJUqF4LLqP1YESEQJbEgCg2NiiJ//A8PIi+IMaWl0oGhopzPMAnRGu 4JsVNpAnSNx8+3UUZNBo4/C/ =/eMq -----END PGP SIGNATURE-----
Current thread:
- ILOVEYOU worm Elias Levy (May 04)
- Formated and commented loveletter. The Hidden (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Alert: Listserv Web Archives (wa) buffer overflow Cerberus Security Team (May 03)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
- Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
- Security Bulletins Digest (fwd) Justin Tripp (May 04)
- Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
- Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
- How we defaced www.apache.org Peter van Dijk (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Mac OS X Signature Omachonu Ogali (May 03)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: ILOVEYOU worm Jaanus Kase (May 04)