[NT] Cross Application Scripting in Trend Micro's Antivirus Software

• Previous message: SecuriTeam: "[UNIX] Tripwire Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Jun 2004 18:49:20 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Cross Application Scripting in Trend Micro's Antivirus Software
------------------------------------------------------------------------

SUMMARY

 <http://www.trendmicro.com/en/home/us/enterprise.htm> Trend Micro is "an
AntiVirus vendor". By crafting a special .zip archive it is possible to
inject malicious HTML code on Trend Micro's Internet Security engine, and
run arbitrary commands on the target machine.

DETAILS

Vulnerable Systems:
 * Trend Micro Internet Security model no. 1120 1311 engine version: 7.100

For whatever inexplicable reason, the AntiVirus relies on the time-tested
insecure device known as the Microsoft Internet Explorer. It uses this
incredible derelict 'thing' to generate its reports; that is when the
"Anti-Virus" gadget encounters an opponent, the "malware" of the day, it
alerts and indicates precisely what the problem is.

Attack Concept:
Prerequisite - The default setting of this particular Trend Micro device
does not automatically scan inside .zip files on download for
demonstration purposes it must be enabled.

Knowing what it uses and where it uses it, we then have to work backwards
and devise a method to 'cross-application-scripting' our arbitrary code
into the device in order to coax it to do our work for us.

When the product alerts the user of a possible virus, it creates an HTML
file in the temporary file of the user's machine (the so-called "local
zone") screen shot: <http://www.malware.com/weallcar.png>
http://www.malware.com/weallcar.png
As it can be seen from the screen shot, the filename is echoed to the user
inside the HTML. We would like to inject in filename malicious HTML tags.

Technically (so far) in order to make use of all of this we need to name
our problematic file a suitable name with suitable HTML tags, as we
require. At present the actual browser and operating system automatically
filter this (<script>.com becomes _script_.com).

We can bypass the browser filtering by encapsulating the target file in a
ZIP archive. If we name the file something like: <img>.com
Note: Manual re-construction of the .zip file is required in order to meet
the checksum.

Example file can be found at:
 < http://www.malware.com/eicar.zip> http://www.malware.com/eicar.zip

If any type of virus infects the file, the AntiVirus will detect this and
prompt the user of the problem. By doing so, it will also run the
malicious code from the TEMP directory, inside the local computer zone (My
Computer). This causes a complete compromise to the target machine, as the
HTML script can run arbitrary commands.

Proof of Concept:
A web page containing a working example can be found at:
 <http://www.malware.com/icar.html> http://www.malware.com/icar.html

The source of the HTML is as follow:
<img dynsrc="eicar.zip" width=1 height=1>

<br>
<br>
<br>
<br>

<center><img src="nocigar.gif" ></center>

The page will attempt to load dynamically the file eicar.zip which contain
a file detected by the anti-virus as infected. The file name contain an
<img> tag, and will perform cross application scripting attack.

Notes:
1. This is a technical exercise demonstrating 'cross-application
scripting'. Practical implementation at present should prove impractical.
2. Developers do not put your HTML files in the temp folders

ADDITIONAL INFORMATION

The information has been provided by <mailto:1@malware.com>
http-equiv@excite.com.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Tripwire Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]