COMMAND

    InterScan VirusWall

SYSTEMS AFFECTED

    InterScan VirusWall for NT

PROBLEM

    Following is based on a SNS Advisory No.28.  Trend Micro InterScan
    VirusWall for Windows NT is an antivirus software program and  has
    capabilities to  control remotely  via pre-insalled  CGI programs.
    There is a vulnerability that  could allow for a malicious  remote
    user to  make unexpected  modifications for  the configuration  of
    software.

    InterScan VirusWall for Windows NT is a virus protection  software
    for  incoming  and  outgoing  e-mail,  http,  ftp  traffics.  This
    software has a capability to  set and change the configuration  by
    using Web browser.

    The interface  of configuration  is constructed  by a  sort of CGI
    programs on the Internet  Information Server 4.0.   Unfortunately,
    the CGI programs has no features to control the source of  request
    for the modification  and are not  protected for malicious  remote
    users when  a location  of program  is called  with any arguments.
    This  may  allow  for  a  remote  user to make the software change
    unexpectedly.

    Examples:

        http://target/interscan/cgi-bin/FtpSave.dll?no
        http://target/interscan/cgi-bin/FtpSave.dll?yes
        http://target/interscan/cgi-bin/FtpSave.dll?I'm%20here

    This  was  tested  with  InterScan  VirusWall  for Windows NT 3.51
    English on  Windows NT  4.0 SP6a  [English Version].   It has been
    discovered by Nobuo Miwa.

SOLUTION

    No patches are available now.  Trend Micro support team  responded
    that this  problem will  be fixed  at Version  5.0.  They reported
    also the patch program will be released in July, 2001.

    Until the patch will be released, the solution is installing  this
    software  behind  the  protected  network  (ie.  use firewall, use
    access control features of the Web server).