Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 12.14.05: Trend Micro ServerProtectrelay.dll Chunked Overflow Vulnerability



> 
> Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability
> 
> iDefense Security Advisory 12.14.05
> www.idefense.com/application/poi/display?id=354&type=vulnerabilities
> December 14, 2005
> 
> I. BACKGROUND
> 
> Trend Micro Inc.'s ServerProtect provides antivirus scanning with
> centralized management of virus outbreaks, scanning, patter file
> updates, notifications and remote installations. More 
> information about
> the product set is available at:
> 
>  www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm
> 
> II. DESCRIPTION
> 
> Remote exploitation of a heap overflow in Trend Micro Inc.'s
> ServerProtect Management Console allows remote attackers to execute
> arbitrary code with the privileges of the underlying web server.
> 
> The problem specifically exists within the relay.dll ISAPI application
> upon processing of large POST requests with "wrapped" length values,
> example:
> 
>  POST /TVCS/relay.dll HTTP/1.0
>  Transfer-Encoding: chunked
>  
>  80000000
>  [ 50,000 bytes or so ]
> 
> The above example request will create an exploitable heap corruption
> providing the attacker with a near arbitrary 4-byte overwrite. By
> overwriting the address of a soon to be called function the 
> attacker can
> seize CPU control and eventually execute arbitrary code.
> 
> III. ANALYSIS
> 
> Successful exploitation of the described issue allows remote attackers
> to execute arbitrary code with the privileges of the underlying web
> server. Exploitation does not require credentials, thereby 
> exacerbating
> the impact of this vulnerability.
> 
> IV. DETECTION
> 
> iDefense has confirmed the existence of this vulnerability in Trend
> Micro ServerProtect for Windows Management Console 5.58 running with
> Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup
> Server 1.1. It is suspected that earlier versions and 
> versions for other
> platforms are vulnerable as well.
> 
> V. WORKAROUND
> 
> Employ firewalls, access control lists or other TCP/UDP restriction
> mechanism to limit access to the vulnerable system on the configured
> port, generally TCP port 80.
> 
> VI. VENDOR RESPONSE
> 
> "Trend Micro has recently become aware of a vulnerability 
> related to the
> Microsoft Foundation Classes (MFC) static libraries used by 
> Trend Micro
> products to create Internet Server Application Programming Interface
> (ISAPI) programs for IIS user interfaces. Under certain heavy load
> conditions, the MFC ISAPI produces invalid arguments, which can create
> an access violation, and thus a denial of service to users. 
> The original
> MFC vulnerability was reported and patched in 2002 by Microsoft,
> however, in April 2005, Microsoft published new solutions, and vendors
> were required to rebuild programs to link to the new library. During
> this transition period, manual solutions are available through Trend
> Micro technical support for customers wishing to take precautionary
> measures, in the unlikely event of an exploit targeted at the MFC
> vulnerability.
> 
> The potential impact to Trend Micro products is limited to 
> some versions
> of InterScan eManager, InterScan Web Protect, OfficeScan, and Control
> Manager. Many of these products will be updated in the next version
> release.
> 
> For now, use the workarounds provided:
> 
> Option I: Use the Microsoft URLScan Tool
> 
> 1.    Download any of the following:
> 
> Note: The tool prevents a potential thread by rejecting the specified
> requests.
> 
> * URLScan 2.5 (for IIS 6.0)
> * IIS Lockdown Tool 2.1 (for IIS 4.0 or 5.0)
> 
> 2.    Run the URLScan tool. The urlscan folder is 
> automatically created in
> the C:\WINDOWS\system32\inetsrv\urlscan directory.
> 
> 3.    Open Windows Explorer and go to the
> C:\WINDOWS\system32\inetsrv\urlscan directory.
> 
> 4.    Find the URLScan.ini file and open with a text editor 
> like Notepad.
> 
> 5.    Find the [AllowExtensions] section and add the following file
> extensions:
> 
> * .exe
> * .ini
> * .dat
> * .asp
> 
> 6.    Find the [DenyHeaders] section and add the transfer-encoding:
> parameter.
> 
> 7.    Find the [Options] section and change the value of
> UseAllowExtensions to "0".
> 
> 8.    Under [DenyExtensions], remove the following file extensions:
> * .exe
> * .ini
> * .dat
> * .asp
> 
> 9.    Save the changes and close the file.
> 
> 10.    Stop and start the Web service.
> 
> Option II: Change build environments
> 
> Trend Micro recommends changing the build environments to 
> Visual C++ 6.0
> with Service Pack 6."
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2005-1929 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 06/03/2005 Initial vendor notification
> 06/05/2005 Initial vendor response
> 12/14/2005 Public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to remain anonymous.
> 
> Get paid for vulnerability research
> http://www.iDefense.com/poi/teams/vcp.jsp
> 
> Free tools, research and upcoming events
> http://labs.iDefense.com
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2005 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than 
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any 
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 




 




Copyright © Lexa Software, 1996-2009.