ServerProtect is a virus scanner for servers. The Trend Micro ServerProtect service (SpntSvc.exe) handles RPC requests on port 5168/TCP.
Problem
Buffer overflow vulnerabilities in the Trend Micro ServerProtect service allow remote attackers to execute arbitrary commands by sending a specially crafted RPC request to the service.
Exploit works on Trend Micro ServerProtect for Windows 5.58 Patch 3.
Platforms
Windows
{"enchantments": {"score": {"value": 10.1, "vector": "NONE", "modified": "2016-10-03T15:01:56", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4218"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:17872", "SECURITYVULNS:VULN:8084", "SECURITYVULNS:DOC:17976"]}, {"type": "osvdb", "idList": ["OSVDB:39752", "OSVDB:39751", "OSVDB:39750", "OSVDB:39753", "OSVDB:39754"]}, {"type": "cert", "idList": ["VU:109056", "VU:204448"]}, {"type": "saint", "idList": ["SAINT:1310885A27D3FD55BD6D9F816FBA3A08", "SAINT:6FEAB590EC9EA6975575040DA569A8C3", "SAINT:AE23500C1A77A485F11411651A9AF8F9", "SAINT:A22EE7DC85CE2118041F99BF26AC0818", "SAINT:2472227D38ECCF5DF4694D5C03D5947B", "SAINT:99E8D82E3D00706D9E04511BEDD1F8A8", "SAINT:E7B2DB37D7AA743EE0026B979333DF83", "SAINT:5314E219F146652D572D0AC3B147353A"]}, {"type": "zdi", "idList": ["ZDI-07-050"]}, {"type": "nessus", "idList": ["TRENDMICRO_SERVERPROTECT_MULTIPLE2.NASL"]}], "modified": "2016-10-03T15:01:56", "rev": 2}, "vulnersScore": 10.1}, "reporter": "SAINT Corporation", "id": "SAINT:B07E1C8A1646AED3407F8208974F6AED", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2007-09-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 14, "modified": "2007-09-21T00:00:00", "references": [], "cvelist": ["CVE-2007-4218"], "description": "Added: 09/21/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39753](<http://www.osvdb.org/39753>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. The Trend Micro ServerProtect service (SpntSvc.exe) handles RPC requests on port 5168/TCP. \n\n### Problem\n\nBuffer overflow vulnerabilities in the Trend Micro ServerProtect service allow remote attackers to execute arbitrary commands by sending a specially crafted RPC request to the service. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect for Windows 5.58 Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/serverprotect_spntsvc", "lastseen": "2016-10-03T15:01:56", "edition": 1, "title": "Trend Micro ServerProtect SpntSvc RPC buffer overflow"}
{"cve": [{"lastseen": "2021-02-02T05:31:25", "description": "Multiple buffer overflows in the ServerProtect service (SpntSvc.exe) in Trend Micro ServerProtect for Windows before 5.58 Security Patch 4 allow remote attackers to execute arbitrary code via certain RPC requests to certain TCP ports that are processed by the (1) RPCFN_ENG_NewManualScan, (2) RPCFN_ENG_TimedNewManualScan, and (3) RPCFN_SetComputerName functions in (a) StRpcSrv.dll; the (4) RPCFN_CMON_SetSvcImpersonateUser and (5) RPCFN_OldCMON_SetSvcImpersonateUser functions in (b) Stcommon.dll; the (6) RPCFN_ENG_TakeActionOnAFile and (7) RPCFN_ENG_AddTaskExportLogItem functions in (c) Eng50.dll; the (8) NTF_SetPagerNotifyConfig function in (d) Notification.dll; or the (9) RPCFN_CopyAUSrc function in the (e) ServerProtect Agent service.", "edition": 4, "cvss3": {}, "published": "2007-08-22T23:17:00", "title": "CVE-2007-4218", "type": "cve", "cwe": ["CWE-119", "CWE-189", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4218"], "modified": "2018-10-15T21:33:00", "cpe": ["cpe:/a:trend_micro:serverprotect:5.58"], "id": "CVE-2007-4218", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4218", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:trend_micro:serverprotect:5.58:build_1176_for_windows:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\nUS-CERT Cyber Security Alert: TA07-235A\nSecurity Tracker: 1018594\n[Secunia Advisory ID:26523](https://secuniaresearch.flexerasoftware.com/advisories/26523/)\n[Related OSVDB ID: 1016334](https://vulners.com/osvdb/OSVDB:1016334)\n[Related OSVDB ID: 39753](https://vulners.com/osvdb/OSVDB:39753)\n[Related OSVDB ID: 39754](https://vulners.com/osvdb/OSVDB:39754)\n[Related OSVDB ID: 1019364](https://vulners.com/osvdb/OSVDB:1019364)\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA07-235A.html\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0351.html\nISS X-Force ID: 36174\nFrSIRT Advisory: ADV-2007-2934\n[CVE-2007-4218](https://vulners.com/cve/CVE-2007-4218)\nCERT VU: 204448\nCERT VU: 109056\nBugtraq ID: 25395\n", "edition": 1, "modified": "2007-08-21T14:21:50", "published": "2007-08-21T14:21:50", "href": "https://vulners.com/osvdb/OSVDB:39752", "id": "OSVDB:39752", "title": "Trend Micro ServerProtect for Windows (SpntSvc.exe) Stcommon.dll Multiple Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\nUS-CERT Cyber Security Alert: TA07-235A\nSecurity Tracker: 1018594\n[Secunia Advisory ID:26523](https://secuniaresearch.flexerasoftware.com/advisories/26523/)\n[Related OSVDB ID: 39752](https://vulners.com/osvdb/OSVDB:39752)\n[Related OSVDB ID: 39753](https://vulners.com/osvdb/OSVDB:39753)\n[Related OSVDB ID: 39754](https://vulners.com/osvdb/OSVDB:39754)\n[Related OSVDB ID: 39751](https://vulners.com/osvdb/OSVDB:39751)\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA07-235A.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-07-050.html\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-09/0081.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0351.html\nISS X-Force ID: 36178\nFrSIRT Advisory: ADV-2007-2934\n[CVE-2007-4218](https://vulners.com/cve/CVE-2007-4218)\nCERT VU: 204448\nCERT VU: 109056\nBugtraq ID: 25395\n", "edition": 1, "modified": "2007-08-07T14:21:50", "published": "2007-08-07T14:21:50", "href": "https://vulners.com/osvdb/OSVDB:39750", "id": "OSVDB:39750", "title": "Trend Micro ServerProtect for Windows Agent Service RPCFN_CopyAUSrc Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\nUS-CERT Cyber Security Alert: TA07-235A\nSecurity Tracker: 1018594\n[Secunia Advisory ID:26523](https://secuniaresearch.flexerasoftware.com/advisories/26523/)\n[Related OSVDB ID: 1016334](https://vulners.com/osvdb/OSVDB:1016334)\n[Related OSVDB ID: 39754](https://vulners.com/osvdb/OSVDB:39754)\n[Related OSVDB ID: 1019364](https://vulners.com/osvdb/OSVDB:1019364)\n[Related OSVDB ID: 1019361](https://vulners.com/osvdb/OSVDB:1019361)\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA07-235A.html\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0351.html\nISS X-Force ID: 36175\nFrSIRT Advisory: ADV-2007-2934\n[CVE-2007-4218](https://vulners.com/cve/CVE-2007-4218)\nCERT VU: 204448\nCERT VU: 109056\nBugtraq ID: 25395\n", "edition": 1, "modified": "2007-08-21T14:21:50", "published": "2007-08-21T14:21:50", "href": "https://vulners.com/osvdb/OSVDB:39753", "id": "OSVDB:39753", "title": "Trend Micro ServerProtect for Windows (SpntSvc.exe) Eng50.dll Multiple Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\nUS-CERT Cyber Security Alert: TA07-235A\nSecurity Tracker: 1018594\n[Secunia Advisory ID:26523](https://secuniaresearch.flexerasoftware.com/advisories/26523/)\n[Related OSVDB ID: 39752](https://vulners.com/osvdb/OSVDB:39752)\n[Related OSVDB ID: 39753](https://vulners.com/osvdb/OSVDB:39753)\n[Related OSVDB ID: 39754](https://vulners.com/osvdb/OSVDB:39754)\n[Related OSVDB ID: 1019364](https://vulners.com/osvdb/OSVDB:1019364)\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA07-235A.html\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0351.html\nISS X-Force ID: 36172\nFrSIRT Advisory: ADV-2007-2934\n[CVE-2007-4218](https://vulners.com/cve/CVE-2007-4218)\nCERT VU: 204448\nCERT VU: 109056\nBugtraq ID: 25395\n", "edition": 1, "modified": "2007-08-21T14:21:50", "published": "2007-08-21T14:21:50", "href": "https://vulners.com/osvdb/OSVDB:39751", "id": "OSVDB:39751", "title": "Trend Micro ServerProtect for Windows (SpntSvc.exe) StRpcSrv.dll Multiple Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\nUS-CERT Cyber Security Alert: TA07-235A\nSecurity Tracker: 1018594\n[Secunia Advisory ID:26523](https://secuniaresearch.flexerasoftware.com/advisories/26523/)\n[Related OSVDB ID: 1016334](https://vulners.com/osvdb/OSVDB:1016334)\n[Related OSVDB ID: 1019364](https://vulners.com/osvdb/OSVDB:1019364)\n[Related OSVDB ID: 1019361](https://vulners.com/osvdb/OSVDB:1019361)\n[Related OSVDB ID: 1019362](https://vulners.com/osvdb/OSVDB:1019362)\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA07-235A.html\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-08/0351.html\nISS X-Force ID: 36176\nFrSIRT Advisory: ADV-2007-2934\n[CVE-2007-4218](https://vulners.com/cve/CVE-2007-4218)\nCERT VU: 204448\nCERT VU: 109056\nBugtraq ID: 25395\n", "edition": 1, "modified": "2007-08-21T14:21:50", "published": "2007-08-21T14:21:50", "href": "https://vulners.com/osvdb/OSVDB:39754", "id": "OSVDB:39754", "title": "Trend Micro ServerProtect for Windows (SpntSvc.exe) Notification.dll NTF_SetPagerNotifyConfig Function Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:02:01", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "description": "Added: 12/28/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39752](<http://www.osvdb.org/39752>) \n\n\n### Background\n\nTrend Micro [ServerProtect](<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the ServerProtect service allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request which is processed by the `**RPCFN_CMON_SetSvcImpersonateUser**` function in the `**Stcommon.dll**` library. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>) or higher. \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 Security Patch 3. \n\n### Platforms\n\nWindows \nWindows Server 2003 SP1 \n \n\n", "edition": 1, "modified": "2007-12-28T00:00:00", "published": "2007-12-28T00:00:00", "id": "SAINT:AE23500C1A77A485F11411651A9AF8F9", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/serverprotect_cmon_setsvcimpersonate", "type": "saint", "title": "Trend Micro ServerProtect RPCFN_CMON_SetSvcImpersonateUser buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "description": "Added: 09/21/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39753](<http://www.osvdb.org/39753>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. The Trend Micro ServerProtect service (SpntSvc.exe) handles RPC requests on port 5168/TCP. \n\n### Problem\n\nBuffer overflow vulnerabilities in the Trend Micro ServerProtect service allow remote attackers to execute arbitrary commands by sending a specially crafted RPC request to the service. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect for Windows 5.58 Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-09-21T00:00:00", "published": "2007-09-21T00:00:00", "id": "SAINT:A22EE7DC85CE2118041F99BF26AC0818", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/serverprotect_spntsvc", "title": "Trend Micro ServerProtect SpntSvc RPC buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "edition": 2, "description": "Added: 09/21/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39753](<http://www.osvdb.org/39753>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. The Trend Micro ServerProtect service (SpntSvc.exe) handles RPC requests on port 5168/TCP. \n\n### Problem\n\nBuffer overflow vulnerabilities in the Trend Micro ServerProtect service allow remote attackers to execute arbitrary commands by sending a specially crafted RPC request to the service. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect for Windows 5.58 Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-09-21T00:00:00", "published": "2007-09-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/serverprotect_spntsvc", "id": "SAINT:6FEAB590EC9EA6975575040DA569A8C3", "type": "saint", "title": "Trend Micro ServerProtect SpntSvc RPC buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "edition": 2, "description": "Added: 12/28/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39752](<http://www.osvdb.org/39752>) \n\n\n### Background\n\nTrend Micro [ServerProtect](<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the ServerProtect service allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request which is processed by the `**RPCFN_CMON_SetSvcImpersonateUser**` function in the `**Stcommon.dll**` library. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>) or higher. \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 Security Patch 3. \n\n### Platforms\n\nWindows \nWindows Server 2003 SP1 \n \n\n", "modified": "2007-12-28T00:00:00", "published": "2007-12-28T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/serverprotect_cmon_setsvcimpersonate", "id": "SAINT:1310885A27D3FD55BD6D9F816FBA3A08", "type": "saint", "title": "Trend Micro ServerProtect RPCFN_CMON_SetSvcImpersonateUser buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "edition": 2, "description": "Added: 08/23/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39754](<http://www.osvdb.org/39754>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the NTF_SetPagerNotifyConfig function within the `**Notification.dll**` library allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request to port 5168/TCP. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 with Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-08-23T00:00:00", "published": "2007-08-23T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/serverprotect_ntf_setpagernotifyconfig", "id": "SAINT:99E8D82E3D00706D9E04511BEDD1F8A8", "type": "saint", "title": "Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "description": "Added: 08/23/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39754](<http://www.osvdb.org/39754>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the NTF_SetPagerNotifyConfig function within the `**Notification.dll**` library allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request to port 5168/TCP. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 with Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-08-23T00:00:00", "published": "2007-08-23T00:00:00", "id": "SAINT:5314E219F146652D572D0AC3B147353A", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/serverprotect_ntf_setpagernotifyconfig", "title": "Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "description": "Added: 08/23/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39754](<http://www.osvdb.org/39754>) \n\n\n### Background\n\n[ServerProtect](<http://www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the NTF_SetPagerNotifyConfig function within the `**Notification.dll**` library allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request to port 5168/TCP. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 with Patch 3. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-08-23T00:00:00", "published": "2007-08-23T00:00:00", "id": "SAINT:E7B2DB37D7AA743EE0026B979333DF83", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/serverprotect_ntf_setpagernotifyconfig", "type": "saint", "title": "Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4218"], "description": "Added: 12/28/2007 \nCVE: [CVE-2007-4218](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>) \nBID: [25395](<http://www.securityfocus.com/bid/25395>) \nOSVDB: [39752](<http://www.osvdb.org/39752>) \n\n\n### Background\n\nTrend Micro [ServerProtect](<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/>) is a virus scanner for servers. \n\n### Problem\n\nA buffer overflow in the ServerProtect service allows remote attackers to execute arbitrary commands by sending a specially crafted RPC request which is processed by the `**RPCFN_CMON_SetSvcImpersonateUser**` function in the `**Stcommon.dll**` library. \n\n### Resolution\n\nApply [ServerProtect 5.58 Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>) or higher. \n\n### References\n\n<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587> \n<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt> \n\n\n### Limitations\n\nExploit works on Trend Micro ServerProtect 5.58 Security Patch 3. \n\n### Platforms\n\nWindows \nWindows Server 2003 SP1 \n \n\n", "edition": 4, "modified": "2007-12-28T00:00:00", "published": "2007-12-28T00:00:00", "id": "SAINT:2472227D38ECCF5DF4694D5C03D5947B", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/serverprotect_cmon_setsvcimpersonate", "title": "Trend Micro ServerProtect RPCFN_CMON_SetSvcImpersonateUser buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:30", "bulletinFamily": "info", "cvelist": ["CVE-2007-4218"], "description": "### Overview \n\nThe Trend Micro ServerProtect fails to properly handle RPC requests. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nTrend Micro [ServerProtect](<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html>) is an anti-virus application that is designed to run on Microsoft Windows servers. Trend Micro ServerProtect handles Remote Procedure Calls (RPC) using port 5168/tcp. \n\nTrend Micro ServerProtect contains heap-based and stack-based buffer overflows in that can be exploited via multiple RPC functions. A remote, unauthenticated attacker may be able to trigger these overflows by sending malformed RPC requests to a vulnerable Trend Micro ServerProtect installation. \n \nMore information, including a list of vulnerable RPC functions can be found in the [README](<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>) file for Security Patch 4. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with `SYSTEM` privileges. \n \n--- \n \n### Solution \n\n**Apply a patch** \nTrend Micro has addressed these vulnerabilities with [Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n \n--- \n \n**Restrict Access to Trend Micro ServerProtect **\n\n \nUntil the patch can be applied you may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by theTrend Micro ServerProtect service (5168/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n109056\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Trend Micro __ Affected\n\nUpdated: August 23, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23109056 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>\n * <http://www.trendmicro.com/download/product.asp?productid=17>\n * <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587>\n * <http://secunia.com/advisories/26523/>\n * <http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html>\n * <http://www.zerodayinitiative.com/advisories/ZDI-07-050.html>\n\n### Acknowledgements\n\nThis vulnerabilities were reported by iDefense Labs. iDefense Labs in turn credits Code Audit Labs, Jun Mao from iDefense Labs, and two anonymous researchers.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-4218](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-4218>) \n---|--- \n**Severity Metric:** | 22.31 \n**Date Public:** | 2007-08-21 \n**Date First Published:** | 2007-08-23 \n**Date Last Updated: ** | 2007-09-10 20:17 UTC \n**Document Revision: ** | 23 \n", "modified": "2007-09-10T20:17:00", "published": "2007-08-23T00:00:00", "id": "VU:109056", "href": "https://www.kb.cert.org/vuls/id/109056", "type": "cert", "title": "Trend Micro ServerProtect RPC buffer overflows", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:42:29", "bulletinFamily": "info", "cvelist": ["CVE-2007-4218"], "description": "### Overview \n\nTrend Micro ServerProtect Agent service fails to properly handle RPC requests. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nThe Trend Micro ServerProtect Agent service handles RPC Remote Procedure Calls (RPC) using port 3628/tcp. The Trend Micro ServerProtect Agent fails to properly validate RPC requests, possibly allowing a stack-based buffer overflow to occur. A remote, unauthenticated attacker can trigger this overflow vulnerability by sending a specially crafted RPC request to the `RPCFN_CopyAUSrc` function.\n\nMore information can be found in the [README](<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>) file for Security Patch 4. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply a patch** \n \nTrend Micro has addressed these vulnerabilities with [Security Patch 4](<http://www.trendmicro.com/download/product.asp?productid=17>). \n \n--- \n \n**Restrict Access to the Trend Micro ServerProtect ****Agent** \n \nUntil the patch can be applied you may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Trend Micro ServerProtect Agent service (3628/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n204448\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Trend Micro __ Affected\n\nUpdated: August 23, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSee <http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23204448 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>\n * <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587>\n * <http://secunia.com/advisories/26523/>\n * <http://www.zerodayinitiative.com/advisories/ZDI-07-050.html>\n\n### Acknowledgements\n\nThis vulnerabilities were reported by iDefense Labs. iDefense Labs in turn credits Code Audit Labs, Jun Mao from iDefense Labs, and two anonymous researchers.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-4218](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-4218>) \n---|--- \n**Severity Metric:** | 22.31 \n**Date Public:** | 2007-08-21 \n**Date First Published:** | 2007-08-23 \n**Date Last Updated: ** | 2007-09-10 20:17 UTC \n**Document Revision: ** | 11 \n", "modified": "2007-09-10T20:17:00", "published": "2007-08-23T00:00:00", "id": "VU:204448", "href": "https://www.kb.cert.org/vuls/id/204448", "type": "cert", "title": "Trend Micro ServerProtect Agent service RPC stack-buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:42:25", "bulletinFamily": "info", "cvelist": ["CVE-2007-4218"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit this vulnerability. The specific flaw is exposed through the RPC interface bound on TCP port 5168 and defined in SpntSvc.exe with the following UUID: 25288888-bd5b-11d1-9d53-0080c83a5c2c The vulnerable function, RPCFN_SetComputerName(), is reached when the custom protocols \"subcode\" is set to \"\\x30\\x00\\x0a\\x00\". Improper use of the MultiByteToWideChar() API results in an exploitable stack based buffer overflow.", "modified": "2007-06-22T00:00:00", "published": "2007-09-07T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-07-050/", "id": "ZDI-07-050", "title": "Trend Micro ServerProtect RPCFN_SetComputerName() Stack Overflow Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "ZDI-07-050: Trend Micro ServerProtect RPCFN_SetComputerName() Stack\r\n Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-07-050.html\r\nSeptember 7, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-4218\r\n\r\n-- Affected Vendor:\r\nTrend Micro\r\n\r\n-- Affected Products:\r\nServerProtect v5.58\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since September 7, 2007 by Digital Vaccine protection\r\nfilter ID 5481. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Trend Micro ServerProtect. Authentication\r\nis not required to exploit this vulnerability.\r\n\r\nThe specific flaw is exposed through the RPC interface bound on TCP\r\nport 5168 and defined in SpntSvc.exe with the following UUID:\r\n\r\n 25288888-bd5b-11d1-9d53-0080c83a5c2c\r\n\r\nThe vulnerable function, RPCFN_SetComputerName(), is reached when the\r\ncustom protocols "subcode" is set to "\x30\x00\x0a\x00". Improper use\r\nof the MultiByteToWideChar() API results in an exploitable stack based\r\nbuffer overflow.\r\n\r\n-- Vendor Response:\r\nTrend Micro has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\r\n\r\n-- Disclosure Timeline:\r\n2007.07.17 - Vulnerability reported to vendor\r\n2007.09.07 - Digital Vaccine released to TippingPoint customers\r\n2007.09.07 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by an anonymous researcher.\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n(ZDI) represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors (including competitors)\r\nwho have a vulnerability protection or mitigation product.", "edition": 1, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SECURITYVULNS:DOC:17976", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17976", "title": "ZDI-07-050: Trend Micro ServerProtect RPCFN_SetComputerName() Stack Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-4218"], "description": "Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities\r\n\r\niDefense Security Advisory 08.21.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nAug 21, 2007\r\n\r\nI. BACKGROUND\r\n\r\nTrend Micro Inc.'s ServerProtect is an anti-virus software for Microsoft\r\nWindows and Novell NetWare servers. It enables network administrators to\r\nmanage multiple deployments from a single management console. For more\r\ninformation, please visit vendor's website at the following URL.\r\n\r\nhttp://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of multiple buffer overflow vulnerabilities in Trend\r\nMicro Inc.'s ServerProtect anti-virus software could allow attackers to\r\nexecute arbitrary code with system level privilege.\r\n\r\nThe Trend ServerProtect service (SpntSvc.exe) handles RPC requests on\r\nTCP port 5168 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c.\r\nThis service utilizes the StRpcSrv.dll, Stcommon.dll, Eng50.dll and\r\nNotification.dll libraries to service various RPC requests.\r\n\r\nThree buffer overflows exist with the StRpcSrv.dll library. The first\r\ntwo vulnerabilities exist within the RPCFN_ENG_NewManualScan and\r\nRPCFN_ENG_TimedNewManualScan functions. These functions copy\r\nuser-supplied data into a fixed-size heap buffer without performing\r\nproper bounds checking. The third problem exists within the\r\nRPCFN_SetComputerName function. This function copies user-supplied data\r\ninto a fixed-size stack buffer using the MultiByteToWideChar() function\r\nwithout correctly specifying the output buffer length.\r\n\r\nTwo stack-based buffer overflows exist within the Stcommon.dll library.\r\nThese problems specifically exist within the\r\nRPCFN_CMON_SetSvcImpersonateUser and\r\nRPCFN_OldCMON_SetSvcImpersonateUser functions. These functions copy\r\nuser-supplied data into a fixed-size stack buffer without performing\r\nproper bounds checking.\r\n\r\nTwo buffer overflows exist within the Eng50.dll library. These two\r\nissues exist within the ENG_TakeActioinOnAFile and\r\nRPCFN_ENG_AddTaskExportLogItem functions. Both of these functions copy\r\nuser-supplied data into fixed-size buffers without performing proper\r\nbounds checking. The ENG_TakeActioinOnAFile function uses a buffer\r\nstored on the heap as the destination, where as the\r\nRPCFN_ENG_AddTaskExportLogItem function uses a buffer stored in stack\r\nmemory.\r\n\r\nA stack-based buffer overflow exists within the Notification.dll\r\nlibrary. This vulnerability specifically exists in the\r\nNTF_SetPagerNotifyConfig function. This function copies user-supplied\r\ndata into a fixed-size stack buffer without performing proper bounds\r\nchecking.\r\n\r\nThe Trend ServerProtect Agent service handles RPC requests on TCP port\r\n3628 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. A\r\nstack-based buffer overflow has been found to exist within the\r\nRPCFN_CopyAUSrc function. This function copies user-supplied data into\r\na fixed-size stack buffer.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows attackers to execute arbitrary code with system\r\nlevel privilege.\r\n\r\nExploitation requires that attackers send specially crafted RPC requests\r\nto the Trend ServerProtect or Trend ServerProtect Agent services.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of these vulnerabilities in\r\nServerProtect for Windows 5.58 Build 1176 (Security Patch 3). Previous\r\nversions, as well as versions for other platforms, are suspected to be\r\nvulnerable.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any workarounds for this issue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nTrend Micro has addressed these vulnerabilities with the release of\r\nSecurity Patch 4 for ServerProtect. For more information consult the\r\nrelease notes at the following URL.\r\n\r\nhttp://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-4218 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n06/14/2007 Initial vendor notification\r\n06/20/2007 Initial vendor response\r\n08/21/2007 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThese vulnerabilities were discovered by Code Audit Labs, Jun Mao\r\n(iDefense Labs), and two researchers that wish to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "modified": "2007-08-22T00:00:00", "published": "2007-08-22T00:00:00", "id": "SECURITYVULNS:DOC:17872", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17872", "title": "iDefense Security Advisory 08.21.07: Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "cvelist": ["CVE-2007-4219", "CVE-2007-4731", "CVE-2007-3873", "CVE-2007-4218"], "description": "Buffer overflow in SSAPI engine on oversized local path. Buffer overflow in ServerProtect on different TCP/5168 RPC requests.", "edition": 1, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SECURITYVULNS:VULN:8084", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8084", "title": "Trend Micro antiviral products multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T07:11:02", "description": "The remote version of Trend Micro ServerProtect is vulnerable to\nmultiple buffer overflows in the RPC interface. By sending specially\ncrafted requests to the remote host, an attacker may be able to\nexploit those overflows and execute arbitrary code on the remote host\nwith SYSTEM privileges.", "edition": 25, "published": "2007-08-22T00:00:00", "title": "Trend Micro ServerProtect Multiple Remote Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-4219", "CVE-2007-4731", "CVE-2007-4218"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:trend_micro:serverprotect"], "id": "TRENDMICRO_SERVERPROTECT_MULTIPLE2.NASL", "href": "https://www.tenable.com/plugins/nessus/25925", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25925);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/08/01 17:36:15\");\n\n script_cve_id(\"CVE-2007-4218\", \"CVE-2007-4219\", \"CVE-2007-4731\");\n script_bugtraq_id(25395, 25396, 25595);\n\n script_name(english:\"Trend Micro ServerProtect Multiple Remote Overflows\");\n script_summary(english:\"Checks for ServerProtect version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to execute code on the remote host through the\nAntiVirus Agent.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Trend Micro ServerProtect is vulnerable to\nmultiple buffer overflows in the RPC interface. By sending specially\ncrafted requests to the remote host, an attacker may be able to\nexploit those overflows and execute arbitrary code on the remote host\nwith SYSTEM privileges.\");\n # http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch3_readme.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad66593b\");\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=588\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e9da692\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.trendmicro.com/download/product.asp?productid=17\");\n script_set_attribute(attribute:\"solution\", value:\n\"Trend Micro has released a patch for ServerProtect for\nWindows / NetWare.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-12-229\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_cwe_id(20, 119, 189);\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/07/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:trend_micro:serverprotect\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies (\"trendmicro_serverprotect_detect.nasl\");\n script_require_keys (\"Antivirus/TrendMicro/ServerProtect\");\n script_require_ports(5168);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Antivirus/TrendMicro/ServerProtect\");\n\nport = 5168;\n\nv = split (version, sep:\".\", keep:FALSE);\n\nif (\n (v[0] < 5) ||\n (v[0] == 5 && v[1] < 58) ||\n (v[0] == 5 && v[1] == 58 && v[2] == 0 && v[3] < 1185) \n)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Installed version : ' + version + \n '\\n Fixed version ; 5.58.0.1185' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(\"The Trend Micro ServerProtect install is not affected.\");\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
