[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     31
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.31 
   Trend Micro InterScan VirusWall for Windows NT 3.51 FtpSaveC*P.dll
   Buffer Overflow Vulnerability
   
   Problem first discovered: 30 May 2001
   Published: 13 Jun 2001
   Last Updated:13 Jun 2001
     _________________________________________________________________
   
   Overview:
   
   A buffer overflow vulnerability was found in administrative programs,
   FtpSaveCSP.dll and FtpSaveCVP.dll, of InterScan VirusWall for Windows
   NT. It allows a remote user to execute an arbitrary command with
   SYSTEM privilege.
   
   Problem Description: 
   
   If long strings are included in a certain parameter of configuration
   by exploiting the vulnerability that was reported by [7]SNS Advisory
   No.28, a buffer overflow will occur when viewing the following dll(s):
   
   http://server/interscan/cgi-bin/FtpSaveCSP.dll
   http://server/interscan/cgi-bin/FtpSaveCVP.dll
   
   A buffer overflow occurs with the following dump:
  00F9FC04 4F 50 50 50 51 51 OPPPQQ
  00F9FC0A 51 52 52 52 53 53 QRRRSS
  00F9FC10 53 54 54 54 55 55 STTTUU
  00F9FC16 55 56 61 62 63 64 UVabcd
  00F9FC1C 57 58 58 58 59 59 WXXXYY
  00F9FC22 59 5A 5A 5A 61 61 YZZZaa
  00F9FC28 61 61 61 61 61 61 aaaaaa
  00F9FC2E 61 61 61 61 61 61 aaaaaa

   register:
  EAX = 00F9FC1C EIP = 64636261

     Therefore, arbitrary code may be executed by calling eax, which may
     be replaced by an attacker's supplied arbitrary address. Combined
     with the vulnerability of ftpsave.dll in [8]SNS Advisory No.28, a
     remote user can easily launch an attack.
     
     Tested Version:
     
     InterScan VirusWall for Windows NT 3.51J Japanese
     InterScan VirusWall for Windows NT 3.51 English
     
     Tested OS:
     
     Windows NT 4.0 Server SP6a [English Version]
     Windows NT 4.0 Server SP6a [Japanese Version]
     
     Patch Information:
     
     Trend Micro Japanese support team has not commented on this issue.
     
     Until the patch is released, it is recommended to set up access
     control to refuse non-administrative user's access to servers where
     InterScan VirusWall has been installed.
     
     Discovered by:
     
     Nobuo Miwa (LAC / [9]n-miwa@lac.co.jp)
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/31_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/30_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/32_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/31.html
   7. http://www.lac.co.jp/security/english/snsadv_e/28_e.html
   8. http://www.lac.co.jp/security/english/snsadv_e/28_e.html
   9. mailto:n-miwa@lac.co.jp