Bugtraq mailing list archives
Re: Worldsecure/Mail 4.3 vulnerability
From: salme () US IBM COM (salme () US IBM COM)
Date: Thu, 20 Jan 2000 16:44:41 -0500
Blindly trusting an outside source to update virus pattern/definition/dat files (or any other app) throughout your enterprise is foolish. Corporations should have a mechanism to test new updates before they are released to the general server/user population. This is a simple way to minimise these types of security risks. Also, you won't have to deal with thousands of users calling your help desk reporting their AV software didn't load properly or is detecting explorer.exe as a trojan horse! -Ed Edward M. Salm, Information Security Analyst IBM Virus Emergency Response Service 300 Long Meadow Road, Sterling Forest, NY 10979 (914)759-4870 / tie-line 248 Andreas Küchler <andreas.kuechler () GIEPA DE>@SECURITYFOCUS.COM> on 01/20/2000 04:26:39 AM Please respond to Andreas Küchler <andreas.kuechler () GIEPA DE> Sent by: Bugtraq List <BUGTRAQ () SECURITYFOCUS COM> To: BUGTRAQ () SECURITYFOCUS COM cc: Subject: Worldsecure/Mail 4.3 vulnerability Worldsecure uses anonymous ftp to transfer their virus patterns automatically from their site download.worldtalk.com to the Worldsecure server. Obviously Worldtalk does __NOT__ check any signatures after the file has been downloaded and integrates them into the antivirus engine of the WorldSecure/Mail server. There are two scenarios: 1) if anyone gets access to the pattern files on download.worldtalk.com and replaces them with a modified version : a) he can transport any file named *.dat to the users worldsecure server (the server transports everything called *.dat that is embeded inside the dat-xxxx.zip residing on the ftp server to a directory under Worldtalk called after the pattern revision. All you have to do is to find the actual revision number of mcafees dat-files, add one and place a new dat on the ftp server. By doing this you reach __ANY__ WS/Mail-server with enabled autoupdate feature! b) by replacing scan.dat with any file which is not a virus pattern the virus engine will be unable to scan for any viruses any more... By the way wherent there some exploits against MS FTP Service 4.0 !?! :-( 2) if anyone gets access to the local registry of a worldsecure/Mail server he can modify the download site from where worldtalk retrieves its updates. He can then acomplish the same thing as before. (only on the smaller scope of one server) The big problem is that the Worldsecure/Mail server uses any file as virus pattern and actually scans with this modified file (I tried wincmd.exe !!! renamed as scan.dat) without producing any warnings or log entries. The administrator has only a chance to smell the mess when he restarts the server because then the virus engine will not initialize. Worldtalk has been informed about this scenarios and admits that there is a problem which will be solved in a future release of Worldsecure/Mail. -- Andreas Kuechler \|/ (@ @) ------------------------oOO--(_)--OOo------------------------- ``` ´´´ Leiter Netzwerke und Service Giegerich & Partner GmbH Daimlerstrasse 1H +49 6103 5881 71 Voice 63303 Dreieich +49 6103 5881 79 Fax Germany http://www.giepa.de andreas.kuechler () giepa de ============================================================== Fingerprint 7DCE 2A53 CB6E 6DF9 CA20 B65B 0FE1 915A 2069 15BD (See attached file: andreas.kuechler.vcf) <HR NOSHADE> <UL> <LI>application/octet-stream attachment: andreas.kuechler.vcf </UL>
Current thread:
- Worldsecure/Mail 4.3 vulnerability Andreas Küchler (Jan 20)
- <Possible follow-ups>
- Re: Worldsecure/Mail 4.3 vulnerability salme () US IBM COM (Jan 20)