[NT] Cross Application Scripting in Trend Micro's Antivirus Software

From: SecuriTeam (support_at_securiteam.com)
Date: 06/06/04

  • Next message: SecuriTeam: "[NT] Colin McRae Rally DoS"
    To: list@securiteam.com
    Date: 6 Jun 2004 18:49:20 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cross Application Scripting in Trend Micro's Antivirus Software
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.trendmicro.com/en/home/us/enterprise.htm> Trend Micro is "an
    AntiVirus vendor". By crafting a special .zip archive it is possible to
    inject malicious HTML code on Trend Micro's Internet Security engine, and
    run arbitrary commands on the target machine.

    DETAILS

    Vulnerable Systems:
     * Trend Micro Internet Security model no. 1120 1311 engine version: 7.100

    For whatever inexplicable reason, the AntiVirus relies on the time-tested
    insecure device known as the Microsoft Internet Explorer. It uses this
    incredible derelict 'thing' to generate its reports; that is when the
    "Anti-Virus" gadget encounters an opponent, the "malware" of the day, it
    alerts and indicates precisely what the problem is.

    Attack Concept:
    Prerequisite - The default setting of this particular Trend Micro device
    does not automatically scan inside .zip files on download for
    demonstration purposes it must be enabled.

    Knowing what it uses and where it uses it, we then have to work backwards
    and devise a method to 'cross-application-scripting' our arbitrary code
    into the device in order to coax it to do our work for us.

    When the product alerts the user of a possible virus, it creates an HTML
    file in the temporary file of the user's machine (the so-called "local
    zone") screen shot: <http://www.malware.com/weallcar.png>
    http://www.malware.com/weallcar.png
    As it can be seen from the screen shot, the filename is echoed to the user
    inside the HTML. We would like to inject in filename malicious HTML tags.

    Technically (so far) in order to make use of all of this we need to name
    our problematic file a suitable name with suitable HTML tags, as we
    require. At present the actual browser and operating system automatically
    filter this (<script>.com becomes _script_.com).

    We can bypass the browser filtering by encapsulating the target file in a
    ZIP archive. If we name the file something like: <img>.com
    Note: Manual re-construction of the .zip file is required in order to meet
    the checksum.

    Example file can be found at:
     < http://www.malware.com/eicar.zip> http://www.malware.com/eicar.zip

    If any type of virus infects the file, the AntiVirus will detect this and
    prompt the user of the problem. By doing so, it will also run the
    malicious code from the TEMP directory, inside the local computer zone (My
    Computer). This causes a complete compromise to the target machine, as the
    HTML script can run arbitrary commands.

    Proof of Concept:
    A web page containing a working example can be found at:
     <http://www.malware.com/icar.html> http://www.malware.com/icar.html

    The source of the HTML is as follow:
    <img dynsrc="eicar.zip" width=1 height=1>

    <br>
    <br>
    <br>
    <br>

    <center><img src="nocigar.gif" ></center>

    The page will attempt to load dynamically the file eicar.zip which contain
    a file detected by the anti-virus as infected. The file name contain an
    <img> tag, and will perform cross application scripting attack.

    Notes:
    1. This is a technical exercise demonstrating 'cross-application
    scripting'. Practical implementation at present should prove impractical.
    2. Developers do not put your HTML files in the temp folders

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:1@malware.com>
    http-equiv@excite.com.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Colin McRae Rally DoS"

    Relevant Pages

    • [TOOL] kses, PHP Based HTML Filter
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... kses is an HTML/XHTML filter written in PHP. ... It removes all unwanted HTML ... * Attribute values can be surrounded with quotes, ...
      (Securiteam)
    • [TOOL] HTMLer - An Automated Broken HTML Generator (Mangleme Python Port)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It will create a plethora of broken HTML pages in a subdirectory under the ... It allows the crafter of the HTML to control EAX, ... def randstring: ...
      (Securiteam)
    • [NT] Internet Explorer Print without Prompting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability can be exploited by using JavaScript, HTML ...
      (Securiteam)
    • [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML ... By understanding how ASP .NET malicious request filtering functions, ... injection attacks against an ASP .NET application setup in a test ...
      (Securiteam)
    • [NEWS] Opera Out-of-Bounds Memory Access DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Opera is a web browsers for multiple Operating ... By crafting special HTML file with a very long a href value, ...
      (Securiteam)