[NT] TrendMacro Interscan VirusWall Directory Traversal
From: SecuriTeam (support_at_securiteam.com)
Date: 03/24/04
- Previous message: SecuriTeam: "[UNIX] 13 Remote Ethereal Buffer Overflows (BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 24 Mar 2004 19:02:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
TrendMacro Interscan VirusWall Directory Traversal
------------------------------------------------------------------------
SUMMARY
InterScan VirusWall provides intelligent content scanning to prevent virus
outbreaks. It blocks SPAM, non-business related messages, and attachments
to protect enterprise network and business integrity. A directory
traversal vulnerability in the VirusWall product allows remote attackers
to download files that would be otherwise inaccessible.
DETAILS
Interscan Web VirusWall, a part of Interscan VirusWall package, is a web
proxy/gateway service that has a responsibility to scan virus "on-the-fly"
before it reach the user browser.
In Interscan Web VirusWall, there is a built-in mechanism that allows
anybody to read files at the /ishttp/localweb directory by using such an
URL: http://victimIP:8080/ishttpd/localweb/filename.
Other URLs point to different directories (except sub-directories of
"localweb") won't trigger the mechanism and will be forwarded to the proxy
that the service is set up to.
The reason there such a "feature" is because Interscan Web VirusWall has
another feature (not turned on by default) called TeleWindow that uses an
applet (/ishttpd/localweb/java/telewind.zip) to allow user to see the
scanning process.
Unfortunately, that built-in mini webserver has a directory traversal
problem. By using such an URL like this, a malicious attacker can access
to files outside the localweb directory:
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
Will download the service executable file or
http://victimIP:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat
Will download the autoexec.bat file in the root directory.
Workaround:
Administrators should be aware that even the TeleWindow feature is not
turned on, the vulnerability can sill be exploited since the
mini-webserver is hardcoded and it can't be turned off by using the
configuration interface.
Apply the patch from TrendMicro or temporarily stop using the Interscan
Web VirusWall until the patch is issued.
Update: The technical support email virus_doctor@trendmacro.com was sent
an email concern about this problem. However, it has been 6 days and we
haven't received any responses yet.
ADDITIONAL INFORMATION
The information has been provided by <mailto:trihuynh@zeeup.com> Tri
Huynh from SentryUnion.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] 13 Remote Ethereal Buffer Overflows (BGP, EIGRP, IGAP, IRDA, ISUP, NetFlow, PGM, TCAP and UCP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
