[21124] in bugtraq
TrendMicro InterScan WebManager Version 1.2 RegGo.dll Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Thu Jun 21 19:10:39 2001
Date: Thu, 21 Jun 2001 19:28:50 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Message-Id: <20010621192719.DE9A.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
-----------------------------------------------------------------------
SNS Advisory No.33
TrendMicro InterScan WebManager Version 1.2 RegGo.dll Buffer Overflow
Vulnerability
Problem first discovered: Wed, 06 Jun 2001
Published: Thr, 21 Jun 2001
Published: Thr, 21 Jun 2001
----------------------------------------------------------------------
Overview
---------
Trend Micro InterScan WebManager is a software which provides
malicious mobile code protection, URL filtering and traffic management.
A buffer overflow vulnerability exists in RegGo.dll which is used as
web management console feature in InterScan WebManager version 1.2.
This problem can allow remote users to execute arbitrary commands with
SYSTEM privilege.
Problem Description
-------------------
InterScan WebManager has a feature which provides management web
console. RegGo.dll which is used for this feature has a buffer overflow
vulnerability when long parameter was given.
A buffer overflow occurs with the following dump:
00F0FC6C 42 42 42 42 BBBB
00F0FC70 43 43 43 43 CCCC
00F0FC74 44 44 44 44 DDDD
00F0FC78 45 45 45 45 EEEE
EAX = 00F0FC6C
EIP = 41414141
Therefore, arbitrary code which is addressed 00F0FC6C may be executed
by calling eax.
Tested Version
--------------
TrendMicro InterScan WebManager Version 1.2
Tested on
---------
Microsoft Windows NT Server 4.0 + SP6a [English]
Status of fixes
---------------
No patches are available at this momen. Trend Micro support team
responded that this problem would be fixed on next version of
WebManager. But they didn't provide any further information in detail.
Until the patch is released, restrict access to refuse access to
servers which WebManager had installed.
Discovered by
-------------
ARAI Yuu (LAC) y.arai@lac.co.jp
Disclaimer
----------
All information in this advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is
released as it is. LAC Co.,Ltd. is not responsible for any risks of
occurrences caused by applying those information.
References
----------
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/33_e.html
SNS Advisory:
http://www.lac.co.jp/security/english/snsadv_e/
LAC:
http://www.lac.co.jp/security/english/
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
