6361128 2001-04-13 04:33 -0700 /103 rader/ eEye Digital Security <eeye@EEYE.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-04-13 19:44 av Brevbäraren Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: eeye@EEYE.COM Mottagare: Bugtraq (import) <16529> Ärende: Trend Micro Interscan VirusWall 3.01 vulnerability ------------------------------------------------------------ From: eEye Digital Security <eeye@EEYE.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <MMEPIMEOCNNBECDFLCADGEPKECAA.eeye@eeye.com> Trend Micro Interscan VirusWall 3.01 vulnerability Release Date: April 12, 2001 Systems Affected: Linux Systems with Interscan VirusWall 3.01 (and most likely older versions) Remote Administration Enabled. Other Unix variants are most likely vulnerable also. Description: A combination of bugs found in the ISADMIN service that would allow an attacker to remotely compromise a system running Trend Micro Interscan Viruswall 3.01. Notice, file paths may change between various distributions so they may not be totally accurate. Vulnerability #1 The first bug is in the web-server configuration of ISADMIN, which runs CERN httpd v3.0 on port 1812 by default. --------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------Protection SCRIPTS { UserID root GroupID sys AuthType Basic ServerID redhat.example.com PassWdfile /etc/iscan/.htpasswd GroupFile /opt/trend/ISADMIN/config/group GET-Mask admin } Protect /*.cgi SCRIPTS Exec /* /opt/trend/ISADMIN/cgi-bin/* --------Excerpt /opt/trend/ISADMIN/config/httpd.conf-------- Here we find that all files with .cgi extension are protected, so only authorized users can access them. Unfortunately there are several utilities in this directory that dont have a .cgi extension. ls al /opt/trend/ISADMIN/cgi-bin/ -r-xr-xr-x 1 root root 1804 Feb 25 03:05 about -r-xr-xr-x 1 root root 28859 Feb 25 03:05 anti_spamadd.cgi -r-xr-xr-x 1 root root 27269 Feb 25 03:05 anti_spamedit.cgi -r-xr-xr-x 1 root root 30052 Feb 25 03:05 anti_spamtable.cgi -r-xr-xr-x 1 root root 37440 Feb 25 03:05 antivir -r-xr-xr-x 1 root root 3148 Feb 25 03:05 arglist -rwxr-xr-x 1 root root 12421 Apr 12 12:48 catinfo This line allows us to exec those files without .cgi extensions: Exec /* /opt/trend/ISADMIN/cgi-bin/* Vulnerability #2 While auditing the binaries in /opt/trend/ISADMIN/cgi-bin/ we came to the conclusion that if it accepts input, it is probably exploitable. Example: http://server:1812/catinfo?4500xA The above request will cause a buffer overflow to take place. catinfo does toupper() and CERN doesnt like certain values. We were able to remotely execute commands as root using this vulnerability. Proof of Concept: Posted to eEye website shortly. Vendor Status: Upon contacting Trend Micro we were informed that their latest version 3.6 was not vulnerable to this flaw. For more information visit: http://www.antivirus.com/ Greetings: ADM, KAM, SPK, Lamagra, Zen-Parse, Loki, and Teso. Copyright (c) 1998-2001 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com (6361128) /eEye Digital Security <eeye@EEYE.COM>/(Ombruten)