OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eEye Digital Security (eeyeEEYE.COM)
Date: Fri Apr 13 2001 - 06:33:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Trend Micro Interscan VirusWall 3.01 vulnerability

    Release Date:
    April 12, 2001

    Systems Affected:
    Linux Systems with Interscan VirusWall 3.01 (and most likely older versions)
    Remote Administration Enabled. Other Unix variants are most likely
    vulnerable also.

    Description:
    A combination of bugs found in the ISADMIN service that would allow an
    attacker to remotely compromise a system running Trend Micro Interscan
    Viruswall 3.01. Notice, file paths may change between various distributions
    so they may not be totally accurate.

    Vulnerability #1

    The first bug is in the web-server configuration of ISADMIN, which runs CERN
    httpd v3.0 on port 1812 by default.

    --------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------Protection
    SCRIPTS {
    UserID root
    GroupID sys
    AuthType Basic
    ServerID redhat.example.com
    PassWdfile /etc/iscan/.htpasswd
    GroupFile /opt/trend/ISADMIN/config/group
    GET-Mask admin
    }

    Protect /*.cgi SCRIPTS

    Exec /* /opt/trend/ISADMIN/cgi-bin/*
    --------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------

    Here we find that all files with .cgi extension are protected, so only
    authorized users can access them. Unfortunately there are several utilities
    in this directory that don’t have a .cgi extension.

    ls –al /opt/trend/ISADMIN/cgi-bin/

    -r-xr-xr-x 1 root root 1804 Feb 25 03:05 about
    -r-xr-xr-x 1 root root 28859 Feb 25 03:05 anti_spamadd.cgi
    -r-xr-xr-x 1 root root 27269 Feb 25 03:05 anti_spamedit.cgi
    -r-xr-xr-x 1 root root 30052 Feb 25 03:05 anti_spamtable.cgi
    -r-xr-xr-x 1 root root 37440 Feb 25 03:05 antivir
    -r-xr-xr-x 1 root root 3148 Feb 25 03:05 arglist
    -rwxr-xr-x 1 root root 12421 Apr 12 12:48 catinfo

    This line allows us to exec those files without .cgi extensions:
    Exec /* /opt/trend/ISADMIN/cgi-bin/*

    Vulnerability #2

    While auditing the binaries in /opt/trend/ISADMIN/cgi-bin/ we came to the
    conclusion that if it accepts input, it is probably exploitable.

    Example:
    http://server:1812/catinfo?4500xA
    The above request will cause a buffer overflow to take place. catinfo does
    toupper() and CERN doesn’t like certain values. We were able to remotely
    execute commands as root using this vulnerability.

    Proof of Concept:
    Posted to eEye website shortly.

    Vendor Status:
    Upon contacting Trend Micro we were informed that their latest version 3.6
    was not vulnerable to this flaw. For more information visit:
    http://www.antivirus.com/

    Greetings:
    ADM, KAM, SPK, Lamagra, Zen-Parse, Loki, and Teso.

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    infoeEye.com