[24614] in bugtraq
VirusWall HTTP proxy content scanning circumvention
daemon@ATHENA.MIT.EDU (Boris Wesslowski)
Mon Mar 11 17:10:37 2002
Date: Mon, 11 Mar 2002 13:25:19 +0100
From: Boris Wesslowski <bw@inside-security.de>
To: bugtraq@securityfocus.com
Message-ID: <20020311132519.A25325@Kyb.Uni-Stuttgart.DE>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FOR PUBLIC RELEASE
- ------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 0.3 2002-03-10
- ------------------------------------------------------------------------
The latest version of this document is available at
http://www.inside-security.de/vwall_cl0.html
A demo server and proof of concept code are available at
http://www.inside-security.de/vwall_cl0_poc.html
- -------------------------------------------------------------------------
Trend Micro InterScan VirusWall HTTP proxy content scanning circumvention
- -------------------------------------------------------------------------
Summary:
Trend Micro InterScan VirusWall contains a HTTP proxy that prevents users
from downloading virus-infected content by scanning the data received
from a web server before passing it to the client. However, the default
configuration of the HTTP proxy will cause it to skip content scanning if
a malicious web server provides a modified HTTP header, thereby letting
virus-infected content pass.
Impact:
Users behind the VirusWall can unintentionally download virus-infected
content from a malicious web server without being protected by the
VirusWall.
Affected systems:
Trend Micro InterScan VirusWall 3.6
Releases tested:
Trend Micro InterScan VirusWall 3.6 for Red Hat Linux 6.2
Vendor status:
The vendor was informed 2002/02/25 and replied that a major change in
the software would be needed to fix this issue and agreed with our
suggested workaround below adding the server timeout comment.
Detailed description:
The Trend Micro InterScan VirusWall HTTP proxy contains a configuration
option called "Skip scanning if Content-length equals 0". This option
is enabled by default and only mentioned but not explained in the
administrator's guide. It may be useful to prevent scanning of "empty"
web pages. If this option is enabled and the proxy receives a document
from a web server with real content, but which is preceded by a HTTP
header with content-length field set to 0, it will pass the document
to the client without scanning it. Of course, the web server must have
been modified to return a zero content length field when serving a
virus-infected document. This could e.g. have been done by a malicious
webmaster or an intruder with the intent to trick users into downloading
virus-infected content from his/her site. Unfortunately many web
browsers e.g. Netscape 4.7, Netscape 6 and MSIE 6 will ignore the zero
content-length field in the HTTP header and still download the document.
Proof of concept:
A modified server to demonstrate the vulnerability and proof of concept
source code are available at
http://www.inside-security.de/vwall_cl0_poc.html
The tests are done with the EICAR anti-virus test file, for more
information about the anti-virus test file visit the European Institute
for Computer Anti-Virus Research (EICAR) at http://www.eicar.org/
Suggested workaround:
Disable the "Skip scanning if Content-length equals 0" option in the
HTTP proxy configuration using the VirusWall web administration
interface. When disabled certain sites may display slowly, in this
case the "server timeout" value on the advanced configuration page
should be configured to a smaller value.
Credits:
This vulnerability was found and documented by Jochen Thomas Bauer
<jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de> of
Inside Security GmbH, Stuttgart, Germany.
- ------------------------------------------------------------------------
(C) 2002 Inside Security GmbH
This notice may be redistributed freely provided that redistributed copies
are complete and unmodified, and include all date and version information.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY
DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY
THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE
INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE
SECURITY GMBH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of
applicable law, void, or unenforceable in any jurisdiction, then
such provisions are waived to the extent necessary for this disclaimer
to be otherwise enforceable in such jurisdiction.
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
iD8DBQE8jKGpjZjTvnUSw/YRAoeYAJ9Xn8chqRdXGs1cWoFrhw0qCrbGTwCdFn7d
CN6rvogObY5ug4/PowuS1pQ=
=RGX9
-----END PGP SIGNATURE-----
