Type packetstorm
Modified 2000-05-17T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
Network Associates, Inc.  
COVERT Labs Security Advisory  
May 4, 2000  
Trend Micro InterScan VirusWall Remote Overflow  
o Synopsis  
An implementation flaw in the InterScan VirusWall SMTP gateway allows  
a remote attacker to execute code with the privileges of the daemon.  
o Vulnerable Systems  
InterScan VirusWall for Windows NT versions prior to and including  
version 3.32 are vulnerable.  
o Vulnerability Information  
InterScan VirusWall provides an SMTP gateway which scans all inbound  
and outbound mail traffic for viruses before forwarding it to an SMTP  
server. The SMTP gateway implements analysis of standard UU encoding  
which is used for transmitting binary files over transmission mediums  
only supporting simple ASCII data.  
A standard UU encoded file contains a final file name to which the  
encoded data should be written to. Due to an implementation fault in  
VirusWall's handling of this file name it is possible for a remote  
attacker to specify an arbitrarily long string overwriting the stack  
with user defined data. A filename greater than 128 bytes will allow  
a remote attacker to execute arbitrary code.  
Creation of a specially crafted filename allows remote shell access  
with the privileges of the VirusWall daemon, under Windows NT this is  
the SYSTEM account.  
o Resolution  
Trend Micro has corrected this problem in InterScan VirusWall for  
Windows NT Version 3.4, which is currently available as a beta from:  
o Credits  
The discovery and documentation of this vulnerability was conducted  
by Barnaby Jack with the COVERT Labs at PGP Security, a Network  
Associates business.  
o Contact Information  
For more information about the COVERT Labs at PGP Security, visit our  
website at or send e-mail to  
o Legal Notice  
The information contained within this advisory is Copyright (C) 2000  
Networks Associates Technology Inc. It may be redistributed provided  
that no fee is charged for distribution and that the advisory is not  
modified in any way.  
Network Associates and PGP are registered Trademarks of Network  
Associates, Inc. and/or its affiliated companies in the United States  
and/or other Countries. All other registered and unregistered  
trademarks in this document are the sole property of their respective  
Version: PGP 6.5.1  
Comment: Crypto Provided by Network Associates <>