COMMAND

    Interscan VirusWall

SYSTEMS AFFECTED

    Trend Micro Interscan VirusWall 3.01

PROBLEM

    Following is  based on  a eEye  Digital Security  Advisory.  Linux
    Systems  with  Interscan  VirusWall  3.01  (and  most likely older
    versions) Remote Administration Enabled are affected.  Other  Unix
    variants are most likely vulnerable also.

    A combination  of bugs  found in  the ISADMIN  service that  would
    allow an attacker  to remotely compromise  a system running  Trend
    Micro  Interscan  Viruswall  3.01.  Notice,  file paths may change
    between various distributions so they may not be totally accurate.

    Vulnerability #1
    ================
    The first bug is in the web-server configuration of ISADMIN, which
    runs CERN httpd v3.0 on port 1812 by default.

        --------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------Protection
        SCRIPTS {
        UserID root
        GroupID sys
        AuthType Basic
        ServerID redhat.example.com
        PassWdfile /etc/iscan/.htpasswd
        GroupFile /opt/trend/ISADMIN/config/group
        GET-Mask admin
        }
        
        Protect /*.cgi SCRIPTS
        …
        Exec /* /opt/trend/ISADMIN/cgi-bin/*
        --------Excerpt /opt/trend/ISADMIN/config/httpd.conf--------

    Here we find that all files with .cgi extension are protected,  so
    only authorized users  can access them.   Unfortunately there  are
    several  utilities  in  this  directory  that  don’t  have  a .cgi
    extension.

        ls -al /opt/trend/ISADMIN/cgi-bin/
        
        -r-xr-xr-x 1 root root 1804 Feb 25 03:05 about
        -r-xr-xr-x 1 root root 28859 Feb 25 03:05 anti_spamadd.cgi
        -r-xr-xr-x 1 root root 27269 Feb 25 03:05 anti_spamedit.cgi
        -r-xr-xr-x 1 root root 30052 Feb 25 03:05 anti_spamtable.cgi
        -r-xr-xr-x 1 root root 37440 Feb 25 03:05 antivir
        -r-xr-xr-x 1 root root 3148 Feb 25 03:05 arglist
        -rwxr-xr-x 1 root root 12421 Apr 12 12:48 catinfo

    This line allows us to exec those files without .cgi extensions:

        Exec /* /opt/trend/ISADMIN/cgi-bin/*

    Vulnerability #2
    ================
    While auditing  the binaries  in /opt/trend/ISADMIN/cgi-bin/  eEye
    came to the  conclusion that if  it accepts input,  it is probably
    exploitable.

    Example:

        http://server:1812/catinfo?4500xA

    The above  request will  cause a  buffer overflow  to take  place.
    catinfo  does  toupper()  and  CERN  doesn’t  like certain values.
    eEye were  able to  remotely execute  commands as  root using this
    vulnerability.

SOLUTION

    Upon contacting  Trend Micro  we were  informed that  their latest
    version 3.6 was not vulnerable to this flaw.