De: À: Objet: [SNS Advisory No.42] Trend Micro InterScan eManager for NT Multiple Program Buffer Overflow Vulnerability Date : mercredi 12 septembre 2001 16:57 ---------------------------------------------------------------------- SNS Advisory No.42 Trend Micro InterScan eManager for NT Multiple Program Buffer Overflow Vulnerability Problem first discovered: Fri, 27 Jul 2001 Published: Wed, 12 Sep 2001 ---------------------------------------------------------------------- Overview: --------- Trend Micro InterScan eManager for NT contains buffer overflow vulnerability. It may allow an attacker to execute arbitrary codes remotely with Local System context. Problem Description: -------------------- InterScan eManager is a pug-in software for InterScan VirusWall, both developed by Trend Micro. It provides SPAM filtering, content filtering, and Web-based management console. Some CGI programs, which are used by this Web-based management console, contain buffer overflow vulnerability. It may allow an attacker to execute arbitrary codes remotely with Local System context. Actually, the Web-based console of InterScan eManager doesn't have authentication method, which is used for confirmation of administrator. This can lead an attacker to reconfigure its settings, and will cause major complications. Exploitable CGI programs: /eManager/cgi-bin/register.dll /eManager/Content%20Management/ContentFilter.dll /eManager/Content%20Management/SFNofitication.dll /eManager/Email%20Management/cgi-bin/register.dll /eManager/Email%20Management/cgi-bin/TOP10.dll /eManager/Email%20Management/cgi-bin/SpamExcp.dll /eManager/Email%20Management/cgi-bin/spamrule.dll Tested Version: --------------- InterScan eManager for NT Ver.3.51 InterScan eManager for NT Ver.3.51J Tested OS: ---------- Windows NT 4.0 Server + SP6a [English] Windows NT 4.0 Server + SP6a [Japanese] Patch Information: ------------------ A patch to fix this issue for InterScan eManager for NT Ver.3.51J is available below URL: http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3142 A patch for InterScan eManager for NT Ver.3.51 is to be released. Workarounds: ------------ Workarounds listed below will minimize the vulnerability. 1. If Web-based console is not necessary, remove /eManager virtual directory with the use of Internet Service Manager. 2. Enable NTLM authentication with the use of Internet Service Manager. It will provide restrict access to Web-based console. 3. Restrict untrustworthy host's access to Web-based console with the use of Firewall, and so on. Discovered by: -------------- ARAI Yuu (LAC) y.arai@lac.co.jp Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References: ----------- Archive of this advisory: http://www.lac.co.jp/security/english/snsadv_e/42_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/