COMMAND

    VirusWall

SYSTEMS AFFECTED

    Trend Micro InterScan VirusWall for Windows NT 3.51

PROBLEM

    Following is  based on  a SNS  Advisory No.31.   A buffer overflow
    vulnerability was found in administrative programs, FtpSaveCSP.dll
    and FtpSaveCVP.dll,  of InterScan  VirusWall for  Windows NT.   It
    allows a remote user to  execute an arbitrary command with  SYSTEM
    privilege.

    If  long  strings   are  included  in   a  certain  parameter   of
    configuration  by  exploitation  of  the  vulnerability  that  was
    reported  by  SNS  Advisory  No.28,  a buffer overflow occurs when
    viewing following dll(s):

        http://server/interscan/cgi-bin/FtpSaveCSP.dll
        http://server/interscan/cgi-bin/FtpSaveCVP.dll

    A buffer overflow occurs with following dump(Japanese version):

        00F9FC04  4F 50 50 50 51 51  OPPPQQ
        00F9FC0A  51 52 52 52 53 53  QRRRSS
        00F9FC10  53 54 54 54 55 55  STTTUU
        00F9FC16  55 56 61 62 63 64  UVabcd
        00F9FC1C  57 58 58 58 59 59  WXXXYY
        00F9FC22  59 5A 5A 5A 61 61  YZZZaa
        00F9FC28  61 61 61 61 61 61  aaaaaa
        00F9FC2E  61 61 61 61 61 61  aaaaaa

    register:

        EAX = 00F9FC1C  EIP = 64636261

    Therefore, arbitrary code may be executed by calling eax, replaced
    a value with attacker  supplied arbitrary address.   Combined with
    the vulnerability of ftpsave.dll  in SNS Advisory No.28,  a remote
    user can easily launch an attack.

    Discovered by Nobuo Miwa.

SOLUTION

    Trend Micro Japanese  support team responded  nothing.  Until  the
    patch will be released, set up access control to refuse access  to
    servers   in   which   InterScan   VirusWall   is   installed   by
    non-administrative user.