COMMAND

    InterScan VirusWall

SYSTEMS AFFECTED

    Trend Micro InterScan VirusWall

PROBLEM

    Following  is  based  on   COVERT  Labs  Security  Advisory.    An
    implementation  flaw  in  the  InterScan  VirusWall  SMTP  gateway
    allows a remote  attacker to execute  code with the  privileges of
    the daemon.  InterScan VirusWall for Windows NT versions prior  to
    and including version 3.32 are vulnerable.

    InterScan  VirusWall  provides  an  SMTP  gateway  which scans all
    inbound and  outbound mail  traffic for  viruses before forwarding
    it to  an SMTP  server. The  SMTP gateway  implements analysis  of
    standard UU encoding which  is used for transmitting  binary files
    over transmission mediums only supporting simple ASCII data.

    A standard UU encoded file contains a final file name to which the
    encoded data should be written to.  Due to an implementation fault
    in VirusWall's  handling of  this file  name it  is possible for a
    remote attacker to specify an arbitrarily long string  overwriting
    the stack  with user  defined data.  A filename  greater than  128
    bytes will allow a remote attacker to execute arbitrary code.

    Creation  of  a  specially  crafted  filename  allows remote shell
    access with the privileges of the VirusWall daemon, under  Windows
    NT this is the SYSTEM account.

    The  discovery  and  documentation   of  this  vulnerability   was
    conducted by Barnaby Jack with the COVERT Labs at PGP Security,  a
    Network Associates business.

SOLUTION

    Trend Micro has corrected this problem in InterScan VirusWall  for
    Windows NT  Version 3.4,  which is  currently available  as a beta
    from:

        ftp://ftp.antivirus.com/products/beta/