Bugtraq mailing list archives

[SNS Advisory No.40] TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability

From: snsadv () lac co jp
Date: Fri, 24 Aug 2001 18:55:39 +0900

----------------------------------------------------------------------
SNS Advisory No.40
TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability

Problem first discovered: 21 Aug 2001
Published: Fri, 24 Aug 2001
----------------------------------------------------------------------

Overview
--------
Trend Micro OfficeScan Corp Edition ver.3.54 contains a vulnerability which allows attackers to read arbitrary files 
with IUSER privilege.


Problem Description 
-------------------
Trend Micro OfficeScan Corp Edition is an antivirus software for enterprise use. It provides central virus reporting, 
automatic virus pattern updates, and Web-based remote management console. A vulnerability lies in cgiWebupdate.exe, 
which is one of cgi programs and is used for remote management. This problem can allow remote users to read arbitrary 
files with IUSER privilege. 


Tested Version 
--------------
Trend Micro OfficeScan Corp Edition Version 3.54

Tested OS
---------
Windows 2000 Server

Patch Information
-----------------
The same vulnerability exists in the Japanese version.There is a Japanese version of a patch for this vulnerability , 
which can be applied to any other version.The patch is available from the following site:

 http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionId=3086

Discovered by:
--------------
Nobuo Miwa (LAC / n-miwa () lac co jp)

Disclaimer:
-----------
All information in these advisories are subject to change without any 
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co., Ltd. is not responsible for any risks of occurrences
caused by applying those information.

References
----------
Archive of this advisory(in preparation now):
        http://www.lac.co.jp/security/english/snsadv_e/40_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv () lac co jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Current thread:

[SNS Advisory No.40] TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability snsadv (Aug 24)