[NEWS] Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention

From: support@securiteam.com
Date: 03/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 15 Mar 2002 12:11:57 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention
------------------------------------------------------------------------

SUMMARY

Trend Micro InterScan VirusWall contains an HTTP proxy that prevents users
from downloading virus-infected content by scanning the data received from
a web server before passing it to the client. However, the default
configuration of the HTTP proxy will cause it to skip content scanning if
a malicious web server provides a modified HTTP header, thereby letting
virus-infected content pass.

DETAILS

Vulnerable systems:
Trend Micro InterScan VirusWall 3.6

The Trend Micro InterScan VirusWall HTTP proxy contains a configuration
option called "Skip scanning if Content-length equals 0". This option is
enabled by default and only mentioned but not explained in the
administrator's guide. It may be useful to prevent scanning of "empty" web
pages. If this option is enabled and the proxy receives a document from a
web server with real content, but which is preceded by a HTTP header with
content-length field set to 0, it will pass the document to the client
without scanning it.
Of course, the web server must have been modified to return a zero content
length field when serving a virus-infected document. This could e.g. have
been done by a malicious webmaster or an intruder with the intent to trick
users into downloading virus-infected content from his/her site.
Unfortunately many web browsers e.g. Netscape 4.7, Netscape 6 and MSIE 6
will ignore the zero content-length field in the HTTP header and still
download the document.

Impact:
Users behind the VirusWall can unintentionally download virus-infected
content from a malicious web server without being protected by the
VirusWall.

Vendor status:
The vendor was informed 2002/02/25 and replied that a major change in the
software would be needed to fix this issue and agreed with our suggested
workaround below adding the server timeout comment.

Proof of concept:
A modified server to demonstrate the vulnerability and proof of concept
source code are available at:
 <http://www.inside-security.de/vwall_cl0_poc.html>
http://www.inside-security.de/vwall_cl0_poc.html

The tests are done with the EICAR anti-virus test file, for more
information about the anti-virus test file visit the European Institute
for Computer Anti-Virus Research (EICAR) at http://www.eicar.org/

Suggested workaround:
Disable the "Skip scanning if Content-length equals 0" option in the HTTP
proxy configuration using the VirusWall web administration interface. When
disabled certain sites may display slowly, in this case the "server
timeout" value on the advanced configuration page should be configured to
a smaller value.

ADDITIONAL INFORMATION

This vulnerability was found and documented by
<mailto:jtb@inside-security.de> Jochen Thomas Bauer and
<mailto:bw@inside-security.de> Boris Wesslowski of Inside Security GmbH,
Stuttgart, Germany.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • HTTP access to VSS 2005 through ISA Server
    ... over HTTP and configured a ... All works well and we are able to connect to the Web Server and connect ... to the VSS repository. ... is this configuration supported by VSS? ...
    (microsoft.public.vstudio.sourcesafe)
  • RE: outlook and exchange
    ... Outlook using RPC over HTTP from the PC. ... Click To Do List and then click "Connect to the Internet". ... "Create a new Web server certificate", ...
    (microsoft.public.windows.server.sbs)
  • Re: Client cant see login box?
    ... WWW-Authenticate header field that the Web server is not configured to accept." ... the credentials that you supplied" -- no reason supplied. ... >and yes, I cleaned out history, internet cache and temp internet files; ... >configuration. ...
    (microsoft.public.frontpage.client)
  • Re: Network Help
    ... > try to open an http: on the box, or on one of the other computers on ... > the network, it fails and has the network error: ... OR to not having any web server running on your box. ... 4- or..in a strange setup, you may have apache running from your inetd, ...
    (freebsd-questions)
  • Re: http TRACE option
    ... Here's the HTTP TRACE discussion from the 2nd edition of my book ... If the TRACE method is supported and the web server is running a poorly written application that is vulnerable to cross-site scripting, a cross-site tracing attack can be launched to compromise user cookie and session information. ... If the web server is running a static site with no server-side application or processing of user data, the impact of TRACE support is significantly reduced. ... XST is an attack class developed by Jeremiah Grossman in 2003 that allows authentication details presented in HTTP headers to be compromised using a combination of XSS, client-side weaknesses, and support for the HTTP TRACE method server-side. ...
    (Pen-Test)