[NT] Bypassing TrendMicro InterScan HTTP VirusWall
From: support@securiteam.comDate: 09/18/02
- Previous message: support@securiteam.com: "[UNIX] "Slapper" OpenSSL/Apache Worm Propagation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 18 Sep 2002 11:17:07 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bypassing TrendMicro InterScan HTTP VirusWall
------------------------------------------------------------------------
SUMMARY
TrendMicro's InterScan HTTP VirusWall protects clients from web-based
attacks, a vulnerability in the product has been found to allow an
attacker to bypass the protection provided by the product.
DETAILS
Vulnerable systems:
* InterScan VirusWall 3.6 RedHat 7.0 is vulnerable to chunk transfer
encoding.
* InterScan VirusWall 3.52 Windows is vulnerable to both chunk transfer
encoding and gzip content encoding.
TrendMicro VirusWall can be bypassed when using :
* HTTP 1.1 chunked transfer encoding.
* HTTP 1.0 gzip content encoding for Windows platforms only.
While HTTP/1.0 includes the Content-Encoding header, which indicates the
end-to-end content-coding(s) used for a message, HTTP/1.1 adds the
Transfer-Encoding header, which indicates the hop-by-hop
transfer-coding(s) used for a message. Thus, compression can be done
either as a content-encoding or as a transfer-encoding.
The gzip Content Encoding
Downloading a zipped file does not mean that the gzip content-encoding is
used. In this case, you will get a response where content-type is
application/zip (see zip-file.txt trace). In the following examples, our
web server is configured to use the gzip content-encoding.
The Chunk Transfer Encoding
With the HTTP 1.1 chunked transfer encoding, the sender breaks the message
body into chunks of arbitrary length, and each chunk is sent with its
length pre-pended. The chunked transfer encoding is used when the HTTP
server does not known the response message length, which is always the
case when using gzip compression.
Proxy chaining may use HTTP 1.1 when:
* your MS Internet Explorer is configured to use it (see advanced
options)
* your proxy chaining architecture requires HTTP 1.1 for performance
issue
Solutions:
* Use HTTP 1.0 for proxy chaining
* According to TrendMicro, InterScan VirusWall version 5 support HTTP 1.1
Chunked Transfer Encoding, thus will block any attempt to bypass it using
this feature.
Test it:
If you are protected by TrendMicro InterScan VirusWall HTTP, you can test
it by going to: <http://www.althes.fr/virustest/index.html>
http://www.althes.fr/virustest/index.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:vroyer@althes.fr> Vincent
Royer.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] "Slapper" OpenSSL/Apache Worm Propagation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
