[20832] in bugtraq
[SNS Advisory No.28]InterScan VirusWall for NT remote configuration
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Fri Jun 1 14:56:34 2001
To: bugtraq@securityfocus.com
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
Message-Id: <200106011541.AIE26064.BTWOTE@lac.co.jp>
Date: Fri, 1 Jun 2001 15:41:06 +0900
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
SNS Advisory No.28
InterScan VirusWall for NT remote configuration
Problem first discovered: Thu, 24 May 2001
Published: Thu, 31 May 2001
Last Updated: Thu, 31 May 2001
----------------------------------------------------------------------
Overview
--------
Trend Micro InterScan VirusWall for Windows NT is an antivirus
software program and has capabilities to control remotely via pre-insalled
CGI programs. We found a vulnerability that could allow for a malicious remote
user to make unexpected modifications for the configuration of software.
Problem
-------
InterScan VirusWall for Windows NT is a virus protection
software for incoming and outgoing e-mail, http, ftp traffics.
This software has a capability to set and change the configuration
by using Web browser.
The interface of configuration is constructed by a sort of
CGI programs on the Internet Information Server 4.0.
Unfortunately, the CGI programs has no features to control the source
of request for the modification and are not protected for malicious
remote users when a location of program is called with any arguments.
This may allow for a remote user to make the software change unexpectedly.
Examples)
http://target/interscan/cgi-bin/FtpSave.dll?no
http://target/interscan/cgi-bin/FtpSave.dll?yes
http://target/interscan/cgi-bin/FtpSave.dll?I'm%20here
Tested Version
--------------
InterScan VirusWall for Windows NT 3.51 English
Tested OS
---------
Windows NT 4.0 SP6a [English Version]
Patch Information
-----------------
No patches are available now.
Trend Micro support team responded that this problem will be fixed
at Version 5.0. They reported also the patch program will be released
in July, 2001.
Until the patch will be released, the solution is installing
this software behind the protected network.
(ie. use firewall, use access control features of the Web server)
Discovered by
-------------
Nobuo Miwa (LAC / n-miwa@lac.co.jp)
Disclaimer
-----------
All information in this advisories are subjects to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. are not responsible for any risks of occurrences
caused by applying those information.
References
----------
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/28_e.html
Archive of former advisories:
http://www.lac.co.jp/security/english/snsadv_e/
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
