[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     35
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.35
   TrendMicro InterScan VirusWall 3.51 HttpSaveC*P.dll Buffer Overflow
   
   Problem first discovered: 1 Jun 2001
   Published: 28 Jun 2001
   Last Updated:28 Jun 2001
     _________________________________________________________________
   
   Overview:
   
   A buffer overflow vulnerability was found in administrative programs,
   smtpscan.dll, of InterScan VirusWall for Windows NT. It allows a
   remote user to execute an arbitrary command with SYSTEM privilege.
   
   Problem Description: 
   
   If long strings are included in a certain parameter of configuration
   by exploiting the vulnerability reported by SNS Advisory No.28, a
   buffer overflow will occur when requesting the following dll(s):
   
   http://server/interscan/cgi-bin/HttpSaveCVP.dll
   http://server/interscan/cgi-bin/HttpSaveCSP.dll
   
   The following are a memory dump and contents of register when a buffer
   overflow occurs.
   
   memory dump:
023FFAC2  6D 6D 6D 6E 6E 6E  mmmnnn
023FFAC8  6F 6F 6F 70 70 70  oooppp

   register: 
EAX = 023FFAC8 EIP = 6E6E6E6D

   Therefore, arbitrary code may be executed by calling eax which may be
   replaced by an attacker's supplied arbitrary code.
   
     Tested Version:
     
     InterScan VirusWall for Windows NT 3.51 English
     
     Tested OS:
     
     Microsoft Windows NT Server 4.0 + SP6a [English]
     
     Patch Information:
     
     To get the patch, send an e-mail to
     [7]support@support.trendmicro.com or search this issue at
     [8]http://solutionbank.antivirus.com/solutions/solutionSearch.asp 
     
     Discovered by:
     
     Nobuo Miwa [9]n-miwa@lac.co.jp
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/35_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/34_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/36_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/35.html
   7. mailto:%20support@support.trendmicro.com
   8. http://solutionbank.antivirus.com/solutions/solutionSearch.asp
   9. mailto:%20n-miwa@lac.co.jp