OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ichinose Sayo (ichinoseLAC.CO.JP)
Date: Thu Mar 29 2001 - 20:29:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I found a vulnerability in the feature of virus scan for e-mail in
    Virus Buster 2001(program version 8.02) from Trend Micro Inc.

    Virus Buster 2001 is a japanese software package that has similar
    functions of PC-cillin 2000 such as eMail Virus Scanning and Browser
    Scanning(scanning web contents).

    The feature of virus scan for e-mail in this software, called "eMail
    Virus Scanning" on PC-cillin, is used not to receive e-mail including
    virus by scanning every e-mail whenever MUA (Mail User Agent) imports
    e-mail by using POP3 protocol.

    The function is running as a proxy between MUA and MRA (Mail Retrieval
    Agent) as well.

    Problem Description
    -------------------

    The buffer overflow occurs when MUA received email with the header
    defined in RFC 822 including unusually long strings.
    As a result, the user of this software is not able to receive any
    e-mail(s) more. An attacker could use this vulnerability to execute
    arbitrary commands.

    A restart of the computer is required in order to gain normal
    functionality.

    Example of Issue:
    From: aaaaaaaaaa(about 17,000 characters)aaaaaaaaa
    To: ichinoselac.co.jp
    Date: Fri, 23 Mar 2001 16:07:23 +0900
    Subject: TEST
    I've seen at all.

    Tested Version of Virus Buster
    ------------------------------
    Virus Buster 2001 (Japanese)
    Program Version 8.02

    Tested on
    ---------
    Windows 2000 Professional(Japanese)

    Status of fixes
    ----------------

    This problem does not affect the program version 8.03.
    You can update to the program version 8.03 by using the feature of
    automatically updating software called intelligent update.

    The problem is almost the same as the vulnerability exists in the
    program version 8.00 except the place which buffer overflow occurs.
    This vulnerability does not exist in the version 8.01 but it is strongly
    recommended to upgrade to the version 8.03 if you use the version 8.02
    or earlier because the version 8.01 has *yet* another buffer overflow
    vulnerability by receiving an e-mail message including unusually long
    MIME Boundary.

    Required conditions for updating are:
    1) using product version as registered user.
    2) Updating the software with intelligent update.
       (License key is necessary to do this.)

    Also, the Service Pack to fix this issue is available from:

    http://www.trendmicro.co.jp/homeuser/download/vb2001sp3.htm
    (Japanese only; the program will be updated to 8.03.)

    Web site that shows reproducing this vulnerability is available from:

    http://www.lac.co.jp/security/english/test/virusbuster_header.html

    Vendor Information
    -------------------

    Trend Micro Inc.: http://www.trendmicro.com/
    Trend Micro Inc.(Japan): http://www.trendmicro.co.jp/ 

    ----
Sayo Ichinose<ichinoselac.co.jp>
Computer Security Laboratory
LAC Co.,Ltd.
http://www.lac.co.jp/security/