[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] [4][GoBack.gif] 23 [5][GoNext.gif] [6]Japanese Edition SNS Advisory No.23 VirusBuster 2001 Ver 8.02 Buffer Overflow Vulnerability Problem first discovered: 13 Feb 2001 Published: 30 Mar 2001 Last Updated: 30 Mar 2001 _________________________________________________________________ Overview: A vulnerability exists in the feature of virus scan for e-mail in Virus Buster 2001 from Trend Micro Inc. Problem Description: Virus Buster 2001 is a Japanese software package that has similar functions of PC-cillin 2000 such as eMail Virus Scanning and Browser Scanning(scanning web contents). The feature of virus scan for e-mail in this software, called "eMail Virus Scanning" on PC-cillin, is used in order not to receive e-mail including virus by scanning every e-mail whenever MUA (Mail User Agent) imports e-mail by using POP3 protocol. The function is running as a proxy between MUA and MRA (Mail Retrieval Agent) as well. The buffer overflow occurs when MUA received email with the header defined in RFC 822 including unusually long strings. As a result, the user of this software is not able to receive e-mail(s) anymore. An attacker could use this vulnerability to execute arbitrary commands. A restart of the computer is required in order to gain normal functionality. Example of Issue: From: aaaaaaaa(about 17,000 characters)aaaaaaaaa To: ichinose@lac.co.jp Date: Fri, 23 Mar 2001 16:07:23 +0900 Subject: TEST I cracked you again. [23_1.gif] Fig1:the exapmle of exploit [23_2.gif] Fig2 : execution of arbitrary command (notepad.exe is excuted in this example) Tested Version of Virus Buster: Virus Buster 2001 Program Version 8.02 Tested on: Windows 2000 Professional(Japanese) Status of fixes: This problem does not affect the program version 8.03. Since there was the fault which incorrect-detects a virus in the version 8.03, the version 8.04 was released.You can update to the program version 8.04 by using the feature of automatically updating software called intelligent update. The problem is almost the same as the vulnerability that exists in the program version 8.00 except the place which buffer overflow occurs. This vulnerability does not exist in the version 8.01 but it is strongly recommended to upgrade to version 8.04 if you use the version 8.02 or earlier because the version 8.01 has yet another [7]buffer overflow vulnerability by receiving an e-mail message including unusually long MIME Boundary. Required conditions for updating are: 1) using product version as registered user. 2) Updating the software with intelligent update. (License key is necessary to do this.) Also, the Service Pack to fix this issue is available from: [8]http://www.trendmicro.co.jp/homeuser/download/vb2001sp4.htm (Japanese only; the program will be updated to 8.04.) Vendor Information: Trend Micro Inc.: [9]http://www.trendmicro.com/ Trend Micro Inc.(Japan): [10]http://www.trendmicro.co.jp/ Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/23_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/22_e.html 5. http://www.lac.co.jp/security/english/snsadv_e/26_e.html 6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/23.html 7. http://www.lac.co.jp/security/english/snsadv_e/22_e.html 8. http://www.trendmicro.co.jp/homeuser/download/vb2001sp4.htm 9. http://www.trendmicro.com/ 10. http://www.trendmicro.co.jp/