trendmicro.txt

2004-03-24T00:00:00
ID PACKETSTORM:32946
Type packetstorm
Reporter Tri Huynh
Modified 2004-03-24T00:00:00

Description

                                        
                                            `  
  
TrendMicro Interscan Viruswall Directory Traversal  
=================================================  
  
PROGRAM: TrendMicro Interscan Viruswall  
HOMEPAGE: http://www.trendmicro.com  
VULNERABLE VERSIONS: - 3.5x (Windows)  
- Unix/Solaris version is  
not tested but possibly  
vulnerable  
  
DESCRIPTION  
=================================================  
  
InterScan VirusWall provides intelligent content scanning  
to prevent virus outbreaks. It blocks spam, non-business  
related messages, and attachments to protect enterprise  
network and business integrity.  
  
DETAILS  
=================================================  
  
Interscan Web Viruswall, a part of Interscan Viruswall package, is a web  
proxy/gateway service that has a responsibility to scan virus  
"on-the-fly" before it reach the user browser. In Interscan  
Web Viruswall, there is a builtin mechanism that  
allows anybody to read files at the /ishttp/localweb directory by using  
such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs  
point to  
different directories (except sub-directories of "localweb") won't  
trigger the  
mechanism and will be forwarded to the proxy which the service  
is set up to. The reason there such a "feature" is because Interscan  
Web Viruswall has another feature (not turned on by default) called  
TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip)  
to allow user to see the scanning process. Unfortunately, that built-in  
mini  
webserver has a directory traversal problem. By using such an URL like  
this,  
an evil genius ;-) can access to files outside the  
localweb directory:  
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe  
will download the service executable file or  
  
http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat  
will download the autoexec.bat file in the root directory.  
  
WORKAROUND  
=================================================  
Administrators should be aware that even the TeleWindow feature is not  
turned on, the vulnerability can sill be exploited since the  
mini-webserver is hardcoded and it can't be turned off by using the  
configuration  
interface.  
  
Apply the patch from TrendMicro or temporarily stop using the Interscan  
Web Viruswall until the patch is issued.  
  
Update: The technical support email virus_doctor@trendmicro.com was  
sent an email concern about this problem. However, it has been 6 days  
and we haven't received any reponses yet.  
  
CREDITS  
=================================================  
  
Discovered by Tri Huynh from SentryUnion  
  
  
DISLAIMER  
=================================================  
  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are NO warranties with regard to this information. In no event  
shall the author be liable for any damages whatsoever arising out of  
or in connection with the use or spread of this information. Any use  
of this information is at the user's own risk.  
  
  
FEEDBACK  
=================================================  
  
Please send suggestions, updates, and comments to: trihuynh@zeeup.com  
  
  
`