Trend Micro InterScan VirusWall Remote Overflow

[seclabs () NAI COM (NAI Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________

                       Network Associates, Inc.
                    COVERT Labs Security Advisory
                             May 4, 2000

            Trend Micro InterScan VirusWall Remote Overflow

______________________________________________________________________

o Synopsis

An implementation flaw in the InterScan VirusWall SMTP gateway allows
a remote attacker to execute code with the privileges of the daemon.

RISK FACTOR:  HIGH
______________________________________________________________________

o Vulnerable Systems

InterScan VirusWall for Windows NT versions prior to and including
version 3.32 are vulnerable.

______________________________________________________________________

o Vulnerability Information

InterScan VirusWall provides an SMTP gateway which scans all inbound
and outbound mail traffic for viruses before forwarding it to an SMTP
server. The SMTP gateway implements analysis of standard UU encoding
which is used for transmitting binary files over transmission mediums
only supporting simple ASCII data.

A standard UU encoded file contains a final file name to which the
encoded data should be written to. Due to an implementation fault in
VirusWall's handling of this file name it is possible for a remote
attacker to specify an arbitrarily long string overwriting the stack
with user defined data. A filename greater than 128 bytes will allow
a remote attacker to execute arbitrary code.

Creation of a specially crafted filename allows remote shell access
with the privileges of the VirusWall daemon, under Windows NT this is
the SYSTEM account.

______________________________________________________________________

o Resolution

Trend Micro has corrected this problem in InterScan VirusWall for
Windows NT Version 3.4, which is currently available as a beta from:

ftp://ftp.antivirus.com/products/beta/

______________________________________________________________________

o Credits

The discovery and documentation of this vulnerability was conducted
by Barnaby Jack with the COVERT Labs at PGP Security, a Network
Associates business.

______________________________________________________________________

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our
website at http://www.nai.com/covert or send e-mail to covert () nai com

______________________________________________________________________

o  Legal Notice

The information contained within this advisory is Copyright (C) 2000
Networks Associates Technology Inc.  It may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way.

Network Associates and PGP are registered Trademarks of Network
Associates, Inc. and/or its affiliated companies in the United States
and/or other Countries.  All other registered and unregistered
trademarks in this document are the sole property of their respective
owners.

______________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBORHJUqF4LLqP1YESEQJbEgCg2NiiJ//A8PIi+IMaWl0oGhopzPMAnRGu
4JsVNpAnSNx8+3UUZNBo4/C/
=/eMq
-----END PGP SIGNATURE-----