[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     33
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.33
   TrendMicro InterScan WebManager Version 1.2 RegGo.dll Buffer Overflow
   Vulnerability
   
   Problem first discovered: 6 Jun 2001
   Published: 21 Jun 2001
   Last Updated:21 Jun 2001
     _________________________________________________________________
   
   Overview:
   
   Trend Micro InterScan WebManager is a software which provides
   malicious mobile code protection, URL filtering and traffic
   management. A buffer overflow vulnerability exists in RegGo.dll which
   is used as web management console feature in InterScan WebManager
   version 1.2. This problem can allow remote users to execute arbitrary
   commands with SYSTEM privilege.
   
   Problem Description: 
   
   InterScan WebManager has a feature which provides management web
   console. RegGo.dll which is used for this feature has a buffer
   overflow vulnerability when long parameter is given.
   
   The following are a memory dump and contents of register when a buffer
   overflow occurs.
   
   memory dump:
00F0FC6C  42 42 42 42  BBBB
00F0FC70  43 43 43 43  CCCC
00F0FC74  44 44 44 44  DDDD
00F0FC78  45 45 45 45  EEEE

   register: 
EAX = 00F0FC6C
EIP = 41414141

   Therefore, arbitrary code which placed address 00F0FC6C may be
   executed by calling eax.
   
     Tested Version:
     
     TrendMicro InterScan WebManager Version 1.2
     
     Tested OS:
     
     Microsoft Windows NT Server 4.0 + SP6a [English]
     
     Patch Information:
     
     No patches are available now. Trend Micro support team responded
     that this problem will be fixed in the next version of WebManager.
     However, they have not provided more detailed information.
     
     Until the patch is released, it is recommended to set up access
     control to refuse access to servers which WebManager had installed.
     
     Discovered by:
     
     ARAI Yuu (LAC) [7]y.arai@lac.co.jp
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/33_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/32_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/34_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/33.html
   7. mailto:%20y.arai@lac.co.jp