[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     28
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.28 
   InterScan VirusWall for NT remote configuration 
   
   Problem first discovered: 24 May 2001
   Published: 31 May 2001
   Last Updated: 31 May 2001
     _________________________________________________________________
   
   Overview:
   
   Trend Micro InterScan VirusWall for Windows NT is an antivirus
   software program that has capabilities to control remotely via
   pre-insalled CGI programs. A vulnerability was found in this software
   that could allow a malicious remote user to make unexpected
   modifications in the configuration of the software.
   
   Problem Description: 
   
   InterScan VirusWall for Windows NT is a virus proctection software for
   incoming and outgoing e-mail, http, ftp traffics. This software has
   the capability to set and change the configuration by using Web
   browser.
   
   The interface of configuration is constructed by a sort of CGI
   programs on the Internet Information Server 4.0. Unfortunately, CGI
   programs have no features to control the source of request for the
   modification and are not protected against malicious remote users when
   a location of program is called with any arguments. This may allow a
   remote user to make the software change unexpectedly.
   
   Examples) 
   
   http://target/interscan/cgi-bin/FtpSave.dll?no
   http://target/interscan/cgi-bin/FtpSave.dll?yes
   http://target/interscan/cgi-bin/FtpSave.dll?I'm%20here
   
     Tested Version:
     
     InterScan VirusWall for Windows NT 3.51 English
     
     Tested OS:
     
     Windows NT 4.0 SP6a [English Version]
     
     Patch Information:
     
     No patches are available now. Trend Micro support team has
     responded that this problem will be fixed in Version 5.0. They have
     also reported that the patch program will be released in July,
     2001.
     
     Until the patch is released, it is recommended to set up access
     control to refuse access to servers where VirusWall has been
     installed.
     
     Discovered by:
     
     Nobuo Miwa (LAC / [7]n-miwa@lac.co.jp)
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/28_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/27_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/29_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/28.html
   7. mailto:n-miwa@lac.co.jp