[22620] in bugtraq
[SNS Advisory No.42] Trend Micro InterScan eManager for NT Multiple Program Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (snsadv@lac.co.jp)
Wed Sep 12 10:49:50 2001
Date: Wed, 12 Sep 2001 02:01:24 -0400
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com
Message-Id: <20010912011925.6B56.SNSADV@lac.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------
SNS Advisory No.42
Trend Micro InterScan eManager for NT Multiple Program Buffer Overflow Vulnerability
Problem first discovered: Fri, 27 Jul 2001
Published: Wed, 12 Sep 2001
----------------------------------------------------------------------
Overview:
---------
Trend Micro InterScan eManager for NT contains buffer overflow
vulnerability. It may allow an attacker to execute arbitrary codes
remotely with Local System context.
Problem Description:
--------------------
InterScan eManager is a pug-in software for InterScan VirusWall,
both developed by Trend Micro. It provides SPAM filtering, content
filtering, and Web-based management console. Some CGI programs, which
are used by this Web-based management console, contain buffer overflow
vulnerability. It may allow an attacker to execute arbitrary codes
remotely with Local System context. Actually, the Web-based console
of InterScan eManager doesn't have authentication method, which is
used for confirmation of administrator. This can lead an attacker
to reconfigure its settings, and will cause major complications.
Exploitable CGI programs:
/eManager/cgi-bin/register.dll
/eManager/Content%20Management/ContentFilter.dll
/eManager/Content%20Management/SFNofitication.dll
/eManager/Email%20Management/cgi-bin/register.dll
/eManager/Email%20Management/cgi-bin/TOP10.dll
/eManager/Email%20Management/cgi-bin/SpamExcp.dll
/eManager/Email%20Management/cgi-bin/spamrule.dll
Tested Version:
---------------
InterScan eManager for NT Ver.3.51
InterScan eManager for NT Ver.3.51J
Tested OS:
----------
Windows NT 4.0 Server + SP6a [English]
Windows NT 4.0 Server + SP6a [Japanese]
Patch Information:
------------------
A patch to fix this issue for InterScan eManager for NT Ver.3.51J is
available below URL:
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3142
A patch for InterScan eManager for NT Ver.3.51 is to be released.
Workarounds:
------------
Workarounds listed below will minimize the vulnerability.
1. If Web-based console is not necessary, remove /eManager virtual
directory with the use of Internet Service Manager.
2. Enable NTLM authentication with the use of Internet Service
Manager. It will provide restrict access to Web-based console.
3. Restrict untrustworthy host's access to Web-based console with
the use of Firewall, and so on.
Discovered by:
--------------
ARAI Yuu (LAC) y.arai@lac.co.jp
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
References:
-----------
Archive of this advisory:
http://www.lac.co.jp/security/english/snsadv_e/42_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
