[NEWS] Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

The <http://www.trendmicro.com/> Trend Micro AntiVirus scan engine
provides anti-virus capabilities to desktop, server and gateway systems.
The engine is licensed to several of Trend Micro's OEM partners.

Exploitation of a vulnerability in Trend Micro's AntiVirus scanner allows
attackers to crash the scan engine or execute arbitrary code via a
malformed UPX file.

DETAILS

Vulnerable Systems:
* Trend Micro's PC-Cillin Internet Security 2007
* VsapiNI.sys (scan engine) version 3.320.0.1003

* ServerProtect for Linux v2.5 on RHEL 4.x
* vsapiapp version 8.310

* (Any implementations based on Trend Micro's AntiVirus scan engine are
likely vulnerable in their default configuration.)

Remote exploitation of a buffer overflow vulnerability within Trend
Micro's AntiVirus engine could allow an attacker to crash the scan engine
or execute arbitrary code.
This vulnerability is caused by improper input validation when scanning
specially crafted malformed UPX compressed executables. Memory corruption
could occur leading to a invalid memory access or a potentially
exploitable condition.

This vulnerability could be used to gain unauthorized access to machines
through common protocols, e.g. SMTP, HTTP, FTP. No authentication is
required for an attacker to leverage this vulnerability.
Under Windows, the scan engine runs in kernel context. Under Linux, the
scan engine runs as a daemon with superuser privileges. As such, an
attacker can take complete control of the affected system if successful
code execution is attained.

Vendor Status:
"To address this vulnerability, Trend Micro recommends customers to update
to Virus Pattern File 4.245.00 or higher."
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289>
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289

Disclosure Timeline:
* 01/17/2007 - Initial vendor notification
* 01/19/2007 - Initial vendor response
* 02/07/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=470>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=470



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages