Bugtraq Archive June 2001: [SNS Advisory No.34] TrendMicro Inte[SNS Advisory No.34] TrendMicro InterScan VirusWall 3.51 smtpscan.dll Buffer Overflow From: SNS Advisory (snsadv@lac.co.jp) Date: Thu Jun 28 2001 - 09:30:17 BST Next message: SNS Advisory: "[SNS Advisory No.35] TrendMicro InterScan VirusWall 3.51 HttpSaveC*P.dll Buffer Overflow" Previous message: Deja User: "Active Web Classifieds failure to authenticate leads to arbitrary code execution" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] SNS Advisory No.34 TrendMicro InterScan VirusWall 3.51 smtpscan.dll Buffer Overflow Problem first discovered: Wed, 6 Jun 2001 Published: Thu, 28 Jun 2001 ---------------------------------------------------------------------- Overview: --------- A buffer overflow vulnerability was found in some administrative programs, smtpscan.dll, of InterScan VirusWall for Windows NT. It allows a remote user to execute an arbitrary command with SYSTEM privilege. If long strings are included in a certain parameter of configuration by exploiting the vulnerability that was reported by SNS Advisory No.28, a buffer overflow occurs when requesting the following dll: http://server/interscan/cgi-bin/smtpscan.dll The following are a memory dump and contents of register when a buffer overflow occurs. dump: 00F8E5C0 71 71 71 72 72 72 72 73 qqqrrrrs 00F8E5C8 73 73 73 74 74 74 74 75 sssttttu register: EIP=73727272 ESP=00F8E5C8 Therefore, arbitrary code may be executed by calling esp which may be replaced by an attacker's supplied arbitrary code. Tested Version: --------------- InterScan VirusWall for Windows NT 3.51 English Tested OS: ---------- Windows NT 4.0 Server SP6a [English Version] Patch Information: ------------------ To get the patch, send e-mail to support@support.trendmicro.com or search this issue on http://solutionbank.antivirus.com/solutions/solutionSearch.asp Discovered by: -------------- Nobuo Miwa (LAC / n-miwa@lac.co.jp) Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/34_e.html SNS Advisory No.28(TrendMicro InterScan VirusWall for NT remote configuration Vulnerability) http://www.lac.co.jp/security/english/snsadv_e/28_e.html SNS Advisory: http://www.lac.co.jp/security/english/snsadv_e/ LAC: http://www.lac.co.jp/security/english/ ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/ Next message: SNS Advisory: "[SNS Advisory No.35] TrendMicro InterScan VirusWall 3.51 HttpSaveC*P.dll Buffer Overflow" Previous message: Deja User: "Active Web Classifieds failure to authenticate leads to arbitrary code execution" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] This archive was generated by hypermail 2b29 : Sat Jun 30 2001 - 17:17:21 BST