6361128 2001-04-13 04:33 -0700  /103 rader/ eEye Digital Security <eeye@EEYE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-13  19:44  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: eeye@EEYE.COM
Mottagare: Bugtraq (import) <16529>
Ärende: Trend Micro Interscan VirusWall 3.01 vulnerability
------------------------------------------------------------
From: eEye Digital Security <eeye@EEYE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <MMEPIMEOCNNBECDFLCADGEPKECAA.eeye@eeye.com>

Trend Micro Interscan VirusWall 3.01 vulnerability

Release Date:
April 12, 2001

Systems Affected: Linux Systems with Interscan VirusWall 3.01 (and
most likely older versions) Remote Administration Enabled. Other Unix
variants are most likely vulnerable also.

Description: A combination of bugs found in the ISADMIN service that
would allow an attacker to remotely compromise a system running Trend
Micro Interscan Viruswall 3.01. Notice, file paths may change between
various distributions so they may not be totally accurate.

Vulnerability #1

The first bug is in the web-server configuration of ISADMIN, which
runs CERN httpd v3.0 on port 1812 by default.

--------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------Protection
SCRIPTS {
UserID root
GroupID sys
AuthType Basic
ServerID redhat.example.com
PassWdfile /etc/iscan/.htpasswd
GroupFile /opt/trend/ISADMIN/config/group
GET-Mask admin
}

Protect /*.cgi SCRIPTS
…
Exec /* /opt/trend/ISADMIN/cgi-bin/*
--------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------

Here we find that all files with .cgi extension are protected, so
only authorized users can access them. Unfortunately there are
several utilities in this directory that don’t have a .cgi extension.

ls –al /opt/trend/ISADMIN/cgi-bin/

-r-xr-xr-x 1 root root 1804 Feb 25 03:05 about
-r-xr-xr-x 1 root root 28859 Feb 25 03:05 anti_spamadd.cgi
-r-xr-xr-x 1 root root 27269 Feb 25 03:05 anti_spamedit.cgi
-r-xr-xr-x 1 root root 30052 Feb 25 03:05 anti_spamtable.cgi
-r-xr-xr-x 1 root root 37440 Feb 25 03:05 antivir
-r-xr-xr-x 1 root root 3148 Feb 25 03:05 arglist
-rwxr-xr-x 1 root root 12421 Apr 12 12:48 catinfo

This line allows us to exec those files without .cgi extensions:
Exec /* /opt/trend/ISADMIN/cgi-bin/*

Vulnerability #2

While auditing the binaries in /opt/trend/ISADMIN/cgi-bin/ we came to
the conclusion that if it accepts input, it is probably exploitable.

Example: http://server:1812/catinfo?4500xA The above request will
cause a buffer overflow to take place. catinfo does toupper() and
CERN doesn’t like certain values. We were able to remotely execute
commands as root using this vulnerability.

Proof of Concept:
Posted to eEye website shortly.

Vendor Status: Upon contacting Trend Micro we were informed that
their latest version 3.6 was not vulnerable to this flaw. For more
information visit: http://www.antivirus.com/

Greetings:
ADM, KAM, SPK, Lamagra, Zen-Parse, Loki, and Teso.

Copyright (c) 1998-2001 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is
not to be edited in any way without express consent of eEye. If you
wish to reprint the whole or any part of this alert in any other
medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer The information within this paper may change without
notice. Use of this information constitutes acceptance for use in an
AS IS condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own
risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com
(6361128) /eEye Digital Security <eeye@EEYE.COM>/(Ombruten)