Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Trend Micro Interscan VirusWall 3.01 vulnerability
Release Date:
April 12, 2001
Systems Affected:
Linux Systems with Interscan VirusWall 3.01 (and most likely older versions)
Remote Administration Enabled. Other Unix variants are most likely
vulnerable also.
Description:
A combination of bugs found in the ISADMIN service that would allow an
attacker to remotely compromise a system running Trend Micro Interscan
Viruswall 3.01. Notice, file paths may change between various distributions
so they may not be totally accurate.
Vulnerability #1
The first bug is in the web-server configuration of ISADMIN, which runs CERN
httpd v3.0 on port 1812 by default.
--------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------Protection
SCRIPTS {
UserID root
GroupID sys
AuthType Basic
ServerID redhat.example.com
PassWdfile /etc/iscan/.htpasswd
GroupFile /opt/trend/ISADMIN/config/group
GET-Mask admin
}
Protect /*.cgi SCRIPTS
…
Exec /* /opt/trend/ISADMIN/cgi-bin/*
--------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------
Here we find that all files with .cgi extension are protected, so only
authorized users can access them. Unfortunately there are several utilities
in this directory that don’t have a .cgi extension.
ls –al /opt/trend/ISADMIN/cgi-bin/
-r-xr-xr-x 1 root root 1804 Feb 25 03:05 about
-r-xr-xr-x 1 root root 28859 Feb 25 03:05 anti_spamadd.cgi
-r-xr-xr-x 1 root root 27269 Feb 25 03:05 anti_spamedit.cgi
-r-xr-xr-x 1 root root 30052 Feb 25 03:05 anti_spamtable.cgi
-r-xr-xr-x 1 root root 37440 Feb 25 03:05 antivir
-r-xr-xr-x 1 root root 3148 Feb 25 03:05 arglist
-rwxr-xr-x 1 root root 12421 Apr 12 12:48 catinfo
This line allows us to exec those files without .cgi extensions:
Exec /* /opt/trend/ISADMIN/cgi-bin/*
Vulnerability #2
While auditing the binaries in /opt/trend/ISADMIN/cgi-bin/ we came to the
conclusion that if it accepts input, it is probably exploitable.
Example:
http://server:1812/catinfo?4500xA
The above request will cause a buffer overflow to take place. catinfo does
toupper() and CERN doesn’t like certain values. We were able to remotely
execute commands as root using this vulnerability.
Proof of Concept:
Posted to eEye website shortly.
Vendor Status:
Upon contacting Trend Micro we were informed that their latest version 3.6
was not vulnerable to this flaw. For more information visit:
http://www.antivirus.com/
Greetings:
ADM, KAM, SPK, Lamagra, Zen-Parse, Loki, and Teso.
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com
info@eEye.com