-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Network Associates, Inc. COVERT Labs Security Advisory May 4, 2000 Trend Micro InterScan VirusWall Remote Overflow
An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon.
RISK FACTOR: HIGH
o Vulnerable Systems
InterScan VirusWall for Windows NT versions prior to and including version 3.32 are vulnerable.
o Vulnerability Information
InterScan VirusWall provides an SMTP gateway which scans all inbound and outbound mail traffic for viruses before forwarding it to an SMTP server. The SMTP gateway implements analysis of standard UU encoding which is used for transmitting binary files over transmission mediums only supporting simple ASCII data.
A standard UU encoded file contains a final file name to which the encoded data should be written to. Due to an implementation fault in VirusWall's handling of this file name it is possible for a remote attacker to specify an arbitrarily long string overwriting the stack with user defined data. A filename greater than 128 bytes will allow a remote attacker to execute arbitrary code.
Creation of a specially crafted filename allows remote shell access with the privileges of the VirusWall daemon, under Windows NT this is the SYSTEM account.
Trend Micro has corrected this problem in InterScan VirusWall for Windows NT Version 3.4, which is currently available as a beta from:
The discovery and documentation of this vulnerability was conducted by Barnaby Jack with the COVERT Labs at PGP Security, a Network Associates business.
o Contact Information
For more information about the COVERT Labs at PGP Security, visit our website at http://www.nai.com/covert or send e-mail to firstname.lastname@example.org
o Legal Notice
The information contained within this advisory is Copyright (C) 2000 Networks Associates Technology Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.
Network Associates and PGP are registered Trademarks of Network Associates, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com>
iQA/AwUBORHKFaF4LLqP1YESEQIqEgCeJFjAqqeRG+h6/Fm39NeaSOQLaKkAoPnO V2GULbTsPAwn0a5AD0tvW1El =Bkuv -----END PGP SIGNATURE-----