COMMAND

    HttpSave.dll

SYSTEMS AFFECTED

    TrendMicro InterScan WebManager Version 1.2

PROBLEM

    Following is based on a SNS Advisory No.36.  Trend Micro InterScan
    WebManager  is  a  software  which  provides malicious mobile code
    protection,  URL  filtering  and  traffic  management.   A  buffer
    overflow vulnerability  exists in  HttpSave.dll which  is used  as
    web  management  console  feature  in InterScan WebManager version
    1.2.   This problem  can allow  remote users  to execute arbitrary
    commands with SYSTEM privilege.

    InterScan WebManager has a  feature which provides management  web
    console.   HttpSave.dll  which  is  used  for  this  feature has a
    buffer overflow when long value is given to a certain parameter.

    A buffer overflow occurs in the following dump:

        00ECFAF0  4F 4F 4F 4F  OOOO
        00ECFAF4  50 50 50 50  PPPP
        00ECFAF8  51 51 51 51  QQQQ
        00ECFAFC  52 52 52 52  RRRR
        00ECFB00  53 53 53 53  SSSS
        00ECFB04  54 54 54 54  TTTT

        EAX = 00ECFAF4
        EIP = 4F4F4F4F

    Therefore,  arbitrary  code  which  is  addressed  00ECFAF4 may be
    executed by calling eax.  This has been discovered by Arai Yuu.

SOLUTION

    No patches are available at this moment.  Trend Micro support team
    responded that this problem would be fixed on the next version  of
    WebManager.  Until  the patch is  released, we recommend  restrict
    access to servers.