Re: Trend Micro's VirusWall: Multiple vunerabilities (fwd)

2001-01-16 Thread Joey Maier 

On Mon, 15 Jan 2001, Hank Leininger wrote:

>Hm.  Joey's advisory listed a number of @trendmicro.com addresses he had
>sent notifications to.  He did not mention that the most obviously
>appropriate of those had bounced :(
>
>Hank Leininger <[EMAIL PROTECTED]>

Hey Hank,  (...and other folks)

The address that currently works for TrendMicro is
[EMAIL PROTECTED]  For the fastest response, include the
Case ID # in the subject line.  For this issue, that's [TDSC237EA95D].

Sorry I didn't mention which addresses bounced and which did not.
I was following the recommendations in RFPolicyV2, which states:
===
http://www.wiretrip.net/rfp/policy.html
===
Should the ORIGINATOR not be able to locate a suitable email address
for the MAINTAINER, the ORIGINATOR should address the ISSUE to:

security-alert@[MAINTAINER]
secure@[MAINTAINER]
security@[MAINTAINER]
support@[MAINTAINER]
info@[MAINTAINER]

regardless of their existence. Anyone who could be deemed as a
'MAINTAINER' is encouraged to populate at least some of the above
email addresses.
===

I agree that TrendMicro ought to establish a [EMAIL PROTECTED]
account and route that to someone other than their general support
staff.

Joey
--
"When you understand UNIX, you will understand the world.
 When you understand NTyou will understand NT" - Richard Thieme
http://www.slothnet.com - is currently unavailable :(

Trend Micro's VirusWall: Multiple vunerabilities

2001-01-15 Thread Joey Maier 

InterScan VirusWall - multiple vunerabilities

***SUMMARY***

Product: Interscan VirusWall for UNIX
Vendor: Trend Micro
Testing Platform: RedHat Linux 6.2
vunerable version: 3.0.1 & 3.6.x
non-vunerable versions: unknown
Vendor: Trend Micro
Issues: This advisory covers three separate issues

1) insecure password change mechanism - Password change
information is sent from the administrator's browser to the
setpasswd.cgi program in clear text.

2) weak authentication method allows password recovery - each
GET request contains the base64 encoded username:password pair
of the administrator.  This can easily be converted to plain text.

3) predictable files names for root-owned temporary files -
Installation or removal of this InterScan VirusWall can allow
local users to become root.

Impact: Issues 1 & 2 could allow unauthorized individuals to learn
the password for the 'admin' account on this box.  Using this
password, they could disable virus scanning, change the types
of files that are scanned, or alter the response the machine
makes to files containing viruses.  Issue 3 could provide an
attacker with a priviledged account they might use to attack
other machines within a network.

Fixes:  On Dec. 29 a Trend Micro representative informed me that no
patches will be released, but the new version of ISVW (estimated
release late Feb. or early Mar.) will contain fixes for these
vunerabilities.

Work-arounds:  Only install ISVW on a stand-alone box.  Don't use
the browser-based configuration tools remotely unless you
are confident that your network is not being sniffed.

Contact History:  Trend Micro was contacted three times (once per
vunerability) December 26-27.   They've assigned these
three vunerabilities to CASE ID# TDSC-237EA95D

Researcher: Joey Maier <[EMAIL PROTECTED]>

===
***BACKGROUND***

Trend Micro's InterScanVirusWall (a.k.a. 'ISVW') is a product that
is designed to provide "Real-time virus detection and clean-up for all
SMTP, HTTP, and FTP Internet traffic at the gateway"
(see http://www.antivirus.com/products/isvw/ for details on this product)
Trend Micro has versions of ISVW for NT, Solaris, HP-UX and Linux.  This
advisory only covers the Linux version.  It is unknown if the NT, Solaris
and HP-UX versions of this product display the same behavior.

===
*** DETAILS - insecure password change mechanism ***

Installation of the ISVW package on a RedHat linux 6.2 box places a web
server on port 1812.  This web server runs a variety of CGIs that provide
web-based administration functionality.  One of these is setpasswd.cgi,
which is used to change the administrative password for ISVW.  As the
following snort log shows, the old and new passwords are sent in clear
text to setpasswd.cgi via a GET request.


12/22-10:59:23.150987 172.16.105.36:1247 -> 172.16.104.122:1812
TCP TTL:128 TOS:0x0 ID:21767  DF
*PA* Seq: 0x3D5513F   Ack: 0xE257706   Win: 0x2238
47 45 54 20 2F 73 65 74 70 61 73 73 77 64 2E 63  GET /setpasswd.c
67 69 3F 4F 50 41 53 53 3D 6F 6C 64 70 61 73 73  gi?OPASS=oldpass
77 6F 72 64 2B 26 50 41 53 53 32 3D 6E 65 77 70  word+&PASS2=newp
61 73 73 77 6F 72 64 26 50 41 53 53 33 3D 6E 65  assword&PASS3=ne
77 70 61 73 73 77 6F 72 64 20 48 54 54 50 2F 31  wpassword HTTP/1
2E 30 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74  .0..Referer: htt
70 3A 2F 2F 31 37 32 2E 31 36 2E 31 30 34 2E 31  p://172.16.104.1
32 32 3A 31 38 31 32 2F 70 61 73 73 77 64 2E 63  22:1812/passwd.c
67 69 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20  gi..Connection:
4B 65 65 70 2D 41 6C 69 76 65 0D 0A 55 73 65 72  Keep-Alive..User
2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F  -Agent: Mozilla/
34 2E 36 31 20 5B 65 6E 5D 20 28 57 69 6E 4E 54  4.61 [en] (WinNT
3B 20 55 29 0D 0A 48 6F 73 74 3A 20 31 37 32 2E  ; U)..Host: 172.
31 36 2E 31 30 34 2E 31 32 32 3A 31 38 31 32 0D  16.104.122:1812.
0A 41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67  .Accept: image/g
69 66 2C 20 69 6D 61 67 65 2F 78 2D 78 62 69 74  if, image/x-xbit
6D 61 70 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C  map, image/jpeg,
20 69 6D 61 67 65 2F 70 6A 70 65 67 2C 20 69 6D   image/pjpeg, im
61 67 65 2F 70 6E 67 2C 20 2A 2F 2A 0D 0A 41 63  age/png, */*..Ac
63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67  cept-Encoding: g
7A 69 70 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67  zip..Accept-Lang
75 61 67 65 3A 20 65 6E 0D 0A 41 63 63 65 70 74  uage: en..Accept
2D 43 68 61 72 73 65 74 3A 20 69 73 6F 2D 38 38  -Charset: iso-88
35 39 2D 31 2C 2A 2C 75 74 66 2D 38 0D 0A 41 75  59-1,*,utf-8..Au
74 68 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 61 73  thorization: Bas
69 63 20 59 57 52 74 61 57 34 36 62 32 78 6B 63  ic YWRtaW46b2xkc
47 4