[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     34
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.34
   TrendMicro InterScan VirusWall 3.51 smtpscan.dll Buffer Overflow 
   
   Problem first discovered: 6 Jun 2001
   Published: 28 Jun 2001
   Last Updated:28 Jun 2001
     _________________________________________________________________
   
   Overview:
   
   A buffer overflow vulnerability was found in administrative programs,
   smtpscan.dll, of InterScan VirusWall for Windows NT. It allows a
   remote user to execute an arbitrary command with SYSTEM privilege.
   
   Problem Description: 
   
   If long strings are included in a certain parameter of configuration
   by exploiting the vulnerability reported by SNS Advisory No.28, a
   buffer overflow will occur when requesting the following dll:
   
   http://server/interscan/cgi-bin/smtpscan.dll
   
   The following are a memory dump and contents of register when a buffer
   overflow is occurred.
   
   memory dump:
00F8E5C0 71 71 71 72 72 72 72 73 qqqrrrrs
00F8E5C8 73 73 73 74 74 74 74 75 sssttttu

   register: 
EIP=73727272 ESP=00F8E5C8

   Therefore, arbitrary code may be executed by calling esp which may be
   replaced by an attacker's supplied arbitrary code.
   
     Tested Version:
     
     InterScan VirusWall for Windows NT 3.51 English
     
     Tested OS:
     
     Microsoft Windows NT Server 4.0 + SP6a [English]
     
     Patch Information:
     
     To get the patch, send an e-mail to
     [7]support@support.trendmicro.com or search this issue at
     [8]http://solutionbank.antivirus.com/solutions/solutionSearch.asp 
     
     Discovered by:
     
     Nobuo Miwa [9]n-miwa@lac.co.jp
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/34_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/33_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/35_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/34.html
   7. mailto:%20support@support.trendmicro.com
   8. http://solutionbank.antivirus.com/solutions/solutionSearch.asp
   9. mailto:%20n-miwa@lac.co.jp