[13478] in bugtraq
Re: Worldsecure/Mail 4.3 vulnerability
daemon@ATHENA.MIT.EDU (salme@US.IBM.COM)
Fri Jan 21 15:50:44 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
Boundary="0__=OWsX0eihEtM5t5vcMzfJn1YSSmsU2l8AHqK02ngNcGxoNCaCWKM0aNvR"
Content-Disposition: inline
Message-Id: <8525686C.00782788.00@D51MTA06.pok.ibm.com>
Date: Thu, 20 Jan 2000 16:44:41 -0500
Reply-To: salme@US.IBM.COM
From: salme@US.IBM.COM
X-To: Andreas =?iso-8859-1?Q?K=FCchler?= <andreas.kuechler@GIEPA.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
--0__=OWsX0eihEtM5t5vcMzfJn1YSSmsU2l8AHqK02ngNcGxoNCaCWKM0aNvR
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable
Blindly trusting an outside source to update virus pattern/definition/d=
at
files (or any other app) throughout your enterprise is foolish.
Corporations should have a mechanism to test new updates before they ar=
e
released to the general server/user population. This is a simple way t=
o
minimise these types of security risks. Also, you won't have to deal w=
ith
thousands of users calling your help desk reporting their AV software
didn't load properly or is detecting explorer.exe as a trojan horse!
-Ed
Edward M. Salm, Information Security Analyst
IBM Virus Emergency Response Service
300 Long Meadow Road, Sterling Forest, NY 10979
(914)759-4870 / tie-line 248
Andreas K=FCchler <andreas.kuechler@GIEPA.DE>@SECURITYFOCUS.COM> on
01/20/2000 04:26:39 AM
Please respond to Andreas K=FCchler <andreas.kuechler@GIEPA.DE>
Sent by: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
cc:
Subject: Worldsecure/Mail 4.3 vulnerability
Worldsecure uses anonymous ftp to transfer their virus patterns
automatically from their site download.worldtalk.com to the Worldsecure=
server. Obviously Worldtalk does __NOT__ check any signatures after the=
file has been downloaded and integrates them into the antivirus engine
of the WorldSecure/Mail server. There are two scenarios:
1) if anyone gets access to the pattern files on download.worldtalk.com=
and replaces them with a modified version :
a) he can transport any file named *.dat to the users worldsecure serve=
r
(the server transports everything called *.dat that is embeded inside
the dat-xxxx.zip residing on the ftp server to a directory under
Worldtalk called after the pattern revision. All you have to do is to
find the actual revision number of mcafees dat-files, add one and place=
a new dat on the ftp server. By doing this you reach __ANY__
WS/Mail-server with enabled autoupdate feature!
b) by replacing scan.dat with any file which is not a virus pattern the=
virus engine will be unable to scan for any viruses any more... By the
way wherent there some exploits against MS FTP Service 4.0 !?! :-(
2) if anyone gets access to the local registry of a worldsecure/Mail
server he can modify the download site from where worldtalk retrieves
its updates. He can then acomplish the same thing as before. (only on
the smaller scope of one server)
The big problem is that the Worldsecure/Mail server uses any file as
virus pattern and actually scans with this modified file (I tried
wincmd.exe !!! renamed as scan.dat) without producing any warnings or
log entries. The administrator has only a chance to smell the mess when=
he restarts the server because then the virus engine will not
initialize.
Worldtalk has been informed about this scenarios and admits that there
is a problem which will be solved in a future release of
Worldsecure/Mail.
--
Andreas Kuechler
\|/
(@ @)
------------------------oOO--(_)--OOo-------------------------
``` =B4=B4=B4
Leiter Netzwerke und Service Giegerich & Partner GmbH
Daimlerstrasse 1H
+49 6103 5881 71 Voice 63303 Dreieich
+49 6103 5881 79 Fax Germany
http://www.giepa.de andreas.kuechler@giepa.de
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Fingerprint 7DCE 2A53 CB6E 6DF9 CA20 B65B 0FE1 915A 2069 15BD
(See attached file: andreas.kuechler.vcf)
=
--0__=OWsX0eihEtM5t5vcMzfJn1YSSmsU2l8AHqK02ngNcGxoNCaCWKM0aNvR
Content-type: application/octet-stream;
name="andreas.kuechler.vcf"
Content-Disposition: attachment; filename="andreas.kuechler.vcf"
Content-transfer-encoding: base64
YmVnaW46dmNhcmQNCm46S/xjaGxlcjtBbmRyZWFzDQp0ZWw7ZmF4Ois0OSA2MTAzIDU4ODEgNzkN
CnRlbDt3b3JrOis0OSA2MTAzIDU4ODEgNzENCngtbW96aWxsYS1odG1sOkZBTFNFDQp1cmw6aHR0
cDovL3d3dy5naWVwYS5kZQ0Kb3JnOkdpZWdlcmljaCAmIFBhcnRuZXIgR21iSA0KYWRyOjs7RGFp
bWxlcnN0cmFzc2UgMWg7RHJlaWVpY2g7SGVzc2VuOzYzMzAzO0dlcm1hbnkNCnZlcnNpb246Mi4x
DQplbWFpbDtpbnRlcm5ldDpBbmRyZWFzLkt1ZWNobGVyQGdpZXBhLmRlDQp0aXRsZTpMZWl0ZXIg
TmV0endlcmtlIHVuZCBTZXJ2aWNlDQpub3RlOmh0dHA6Ly93d3cuZ2llcGEuZGUNCngtbW96aWxs
YS1jcHQ6Oy01ODA4DQpmbjpBbmRyZWFzIEv8Y2hsZXINCmVuZDp2Y2FyZA0K
--0__=OWsX0eihEtM5t5vcMzfJn1YSSmsU2l8AHqK02ngNcGxoNCaCWKM0aNvR--
