Bugtraq mailing list archives

Trend Micro InterScan VirusWall SMTP bug

From: asl () USA ALCATEL COM (asl () USA ALCATEL COM)
Date: Mon, 27 Dec 1999 17:01:38 -0600


                      Alcatel Security Advisory
                    InterScan VirusWall SMTP bug
                              12/27/99

Affected Systems
----------------
Trend Micro's InterScan VirusWall version 3.0.1 for Solaris.

Severity
--------
The NewApt Worm is currently exploiting this bug to avoid detection.

Synopsis
---------
By sending an SMTP message with a malformed attachment, it is possible
for malicious code to avoid detection by Trend Micro's InterScan SMTP
scanner version 3.0.1 for Solaris. Other versions may be affected as
well, but were not tested.

Description
-----------
RFC2045 describes the number of padding characters needed at the end
of a base64 encoded MIME attachment. InterScan VirusWall does not
properly handle incorrectly padded attachments. Upon receiving such
an attachment, InterScan fails to scan the attachment properly and
the message is allowed to pass through; however, InterScan does log
the following message to its system logs:

     base64: Unexpected EOF seen

Note: This modification of the padding does not appear to affect
mail clients such as Netscape Communicator.

Example
-------
We noticed this bug while testing the product with live viruses.
The NewApt Worm replicates by replying to emails in the victim's
mailbox. The above error message was a clear indication
that this particular attachment was problematic. It was determined
that an extra "=" character at the end of the base64 encoding was
the cause of the problem. Further investigation revealed that if
the correct number of "=" characters (as per RFC2045) were not
present, InterScan failed to catch the virus. This was tested
with several other viruses such as Melissa and Shankar.

To exploit this vulnerability, create a new message with the virus
of your choice attached. Save this message to your local disk.
Edit the message and add any number of "=" characters to the
end of the base64 encoded attachment. This message will now pass
through the InterScan VirusWall, and the virus will remain
undetected and intact.

Patch
-----
Trend Micro has posted a fix for this bug. The patch is can be
downloaded from the following URL:

http://www.antivirus.com/download/patches.htm

The patch is titled isvwsol301a_u2.tar

References
---------
Trend Micro
http://www.trend.com

RCF2045
ftp://ftp.isi.edu/in-notes/rfc2045.txt

NewApt Worm Advisory
http://vil.nai.com/vil/wm10475.asp

Current thread:

Local / Remote Remote DoS Attack in Rover POP3 Server V1.1 NT From aVirt Ussr Labs (Dec 27)
- Remote DoS/Access Attack in Internet Anywhere Mail Server(POP 3) v2.3.1 Steven Alexander (Dec 27)
- Trend Micro InterScan VirusWall SMTP bug asl () USA ALCATEL COM (Dec 27)
- L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1 Mudge (Dec 27)
- UnixWare local pis exploit Brock Tellier (Dec 27)
- Third Party Software Affected by IIS "Escape Character Parsing" V ulnerability Microsoft Product Security Response Team (Dec 28)
- majordomo local exploit Brock Tellier (Dec 28)
  - $cf Security flaw Shevek (Dec 02)
  - Re: majordomo local exploit Christopher Schulte (Dec 28)
  - Re: majordomo local exploit Todd C. Miller (Dec 28)
    - AltaVista rudi carell (Dec 29)
    - Re: majordomo local exploit Taneli Huuskonen (Dec 29)
    - Re: majordomo local exploit Coolio (Dec 29)

(Thread continues...)