OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: snsadvlac.co.jp
Date: Wed Sep 12 2001 - 01:01:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----------------------------------------------------------------------
    SNS Advisory No.42
    Trend Micro InterScan eManager for NT Multiple Program Buffer Overflow Vulnerability

    Problem first discovered: Fri, 27 Jul 2001
    Published: Wed, 12 Sep 2001
    ----------------------------------------------------------------------

    Overview:
    ---------
      Trend Micro InterScan eManager for NT contains buffer overflow
      vulnerability. It may allow an attacker to execute arbitrary codes
      remotely with Local System context.

    Problem Description:
    --------------------
      InterScan eManager is a pug-in software for InterScan VirusWall,
      both developed by Trend Micro. It provides SPAM filtering, content
      filtering, and Web-based management console. Some CGI programs, which
      are used by this Web-based management console, contain buffer overflow
      vulnerability. It may allow an attacker to execute arbitrary codes
      remotely with Local System context. Actually, the Web-based console
      of InterScan eManager doesn't have authentication method, which is
      used for confirmation of administrator. This can lead an attacker
      to reconfigure its settings, and will cause major complications.

      Exploitable CGI programs:
      /eManager/cgi-bin/register.dll
      /eManager/Content%20Management/ContentFilter.dll
      /eManager/Content%20Management/SFNofitication.dll
      /eManager/Email%20Management/cgi-bin/register.dll
      /eManager/Email%20Management/cgi-bin/TOP10.dll
      /eManager/Email%20Management/cgi-bin/SpamExcp.dll
      /eManager/Email%20Management/cgi-bin/spamrule.dll

    Tested Version:
    ---------------
      InterScan eManager for NT Ver.3.51
      InterScan eManager for NT Ver.3.51J

    Tested OS:
    ----------
      Windows NT 4.0 Server + SP6a [English]
      Windows NT 4.0 Server + SP6a [Japanese]

    Patch Information:
    ------------------
      A patch to fix this issue for InterScan eManager for NT Ver.3.51J is
      available below URL:
      
      http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3142

      A patch for InterScan eManager for NT Ver.3.51 is to be released.

    Workarounds:
    ------------
      Workarounds listed below will minimize the vulnerability.

      1. If Web-based console is not necessary, remove /eManager virtual
         directory with the use of Internet Service Manager.

      2. Enable NTLM authentication with the use of Internet Service
         Manager. It will provide restrict access to Web-based console.

      3. Restrict untrustworthy host's access to Web-based console with
         the use of Firewall, and so on.

    Discovered by:
    --------------
      ARAI Yuu (LAC) y.arailac.co.jp

    Disclaimer:
    -----------
      All information in these advisories are subject to change without any
      advanced notices neither mutual consensus, and each of them is released
      as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
      caused by applying those information.

    References:
    -----------
      Archive of this advisory:
      http://www.lac.co.jp/security/english/snsadv_e/42_e.html

    ------------------------------------------------------------------
    Secure Net Service(SNS) Security Advisory <snsadvlac.co.jp>
    Computer Security Laboratory, LAC http://www.lac.co.jp/security/