[NEWS] Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 21 Feb 2007 19:12:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
"
<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm> ServerProtect provides comprehensive antivirus scanning for servers, detecting and removing viruses from files and compressed files in real time"
These vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Trend Micro ServerProtect. Authentication is
not required to exploit these vulnerabilities.
DETAILS
Vulnerable Systems:
* ServerProtect for Windows 5.58
* ServerProtect for EMC 5.58
* ServerProtect for Network Appliance Filer 5.61
* ServerProtect for Network Appliance Filer 5.62
The specific flaws exist within the StCommon.dll library and are reachable
remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the
service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with
the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is
used within TmRpcSrv.dll as an index into a call table. It must
specifically be 0x000a which results in a call to StRpcSrv.65673970(). The
original arguments to the RPC endpoint are then passed to this called
routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used
within StRpcSrv.dll as an index into a second call table. The value of
this lower half controls the code flow to the following vulnerabilities
and is hereto referred to as the 'subcode'.
Vulnerability One:
A subcode value of either 0x0011 or 0x0017 results in the following call:
65674D7F push ebx ; overflow_str
65674D80 call CMON_NetTestConnection
A stack overflow occurs within the routine CMON_NetTestConnection() due to
an unbounded widechar wsprintf() into a 44 byte stack based buffer as
shown in the following relevant excerpt:
65634AC5 xor ecx, ecx
65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer
65634ACB mov cx, [eax]
65634ACE push ecx
65634ACF push ebx ; 1st arg
65634AD0 push offset str_SC ; "\\\\%s\\%c$"
65634AD5 push edx ; LPWSTR
65634AD6 call ds:wsprintfW ; vuln!
Vulnerability Two:
A subcode value of either 0x0008 or 0x0009 results in calls to
CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of these
routines subsequently call StCommon.65631220() which can result in a stack
overflow due to an unbounded widechar lstrcat() into a 2k stack-based
buffer as shown in the following relevant excerpt:
65631311 lea edx, [esp+0A78h+buf]
65631318 push ebp ; lpString2
65631319 push edx ; lpString1
6563131A call ebx ; lstrcatW ; stack overflow
The resulting stack overflows can be leveraged to execute arbitrary code
under the privileges of the SYSTEM user.
Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290>
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
Disclosure Timeline:
* 2007.01.16 - Digital Vaccine released to TippingPoint customers
* 2007.01.19 - Vulnerability reported to vendor
* 2007.02.20 - Coordinated public release of advisory
ADDITIONAL INFORMATION
The information has been provided by TippingPoint Security Research Team.
The original article can be found at:
<http://www.tippingpoint.com/security/advisories/TSRT-07-01.html>
http://www.tippingpoint.com/security/advisories/TSRT-07-01.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
- Next by Date: [UNIX] phpTrafficA Local File Inclusion
- Previous by thread: [NEWS] Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
- Next by thread: [UNIX] phpTrafficA Local File Inclusion
- Index(es):
Relevant Pages
|
