Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Trend Micro InterScan VirusWall Remote Overflow
From: NAI Labs (seclabsNAI.COM)
Date: Thu May 04 2000 - 14:05:57 CDT
- Next message: Steve Halligan: "Microsoft Publishes Kerberos format"
- Previous message: Mazeland, Siebrand: "'ILOVEYOU' script worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Network Associates, Inc.
COVERT Labs Security Advisory
May 4, 2000
Trend Micro InterScan VirusWall Remote Overflow
An implementation flaw in the InterScan VirusWall SMTP gateway allows
a remote attacker to execute code with the privileges of the daemon.
RISK FACTOR: HIGH
o Vulnerable Systems
InterScan VirusWall for Windows NT versions prior to and including
version 3.32 are vulnerable.
o Vulnerability Information
InterScan VirusWall provides an SMTP gateway which scans all inbound
and outbound mail traffic for viruses before forwarding it to an SMTP
server. The SMTP gateway implements analysis of standard UU encoding
which is used for transmitting binary files over transmission mediums
only supporting simple ASCII data.
A standard UU encoded file contains a final file name to which the
encoded data should be written to. Due to an implementation fault in
VirusWall's handling of this file name it is possible for a remote
attacker to specify an arbitrarily long string overwriting the stack
with user defined data. A filename greater than 128 bytes will allow
a remote attacker to execute arbitrary code.
Creation of a specially crafted filename allows remote shell access
with the privileges of the VirusWall daemon, under Windows NT this is
the SYSTEM account.
Trend Micro has corrected this problem in InterScan VirusWall for
Windows NT Version 3.4, which is currently available as a beta from:
The discovery and documentation of this vulnerability was conducted
by Barnaby Jack with the COVERT Labs at PGP Security, a Network
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covertnai.com
o Legal Notice
The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc. It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.
Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries. All other registered and unregistered
trademarks in this document are the sole property of their respective
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>
-----END PGP SIGNATURE-----