Trend Micro InterScan VirusWall Remote Overflow

Type securityvulns
Reporter Securityvulns
Modified 2000-05-05T00:00:00



                   Network Associates, Inc.
                COVERT Labs Security Advisory
                         May 4, 2000

        Trend Micro InterScan VirusWall Remote Overflow

o Synopsis

An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon.


o Vulnerable Systems

InterScan VirusWall for Windows NT versions prior to and including version 3.32 are vulnerable.

o Vulnerability Information

InterScan VirusWall provides an SMTP gateway which scans all inbound and outbound mail traffic for viruses before forwarding it to an SMTP server. The SMTP gateway implements analysis of standard UU encoding which is used for transmitting binary files over transmission mediums only supporting simple ASCII data.

A standard UU encoded file contains a final file name to which the encoded data should be written to. Due to an implementation fault in VirusWall's handling of this file name it is possible for a remote attacker to specify an arbitrarily long string overwriting the stack with user defined data. A filename greater than 128 bytes will allow a remote attacker to execute arbitrary code.

Creation of a specially crafted filename allows remote shell access with the privileges of the VirusWall daemon, under Windows NT this is the SYSTEM account.

o Resolution

Trend Micro has corrected this problem in InterScan VirusWall for Windows NT Version 3.4, which is currently available as a beta from:

o Credits

The discovery and documentation of this vulnerability was conducted by Barnaby Jack with the COVERT Labs at PGP Security, a Network Associates business.

o Contact Information

For more information about the COVERT Labs at PGP Security, visit our website at or send e-mail to

o Legal Notice

The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.

Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <>