TUCoPS :: Security App Flaws :: vwall1~2.htm

VirusWall for NT - smtpscan.dll remote execute arbitrary command 
Vulnerability

    smtpscan.dll

Affected

    TrendMicro InterScan VirusWall 3.51

Description

    Following is  based on  a SNS  Advisory No.34.   A buffer overflow
    vulnerability  was   found  in   some  administrative    programs,
    smtpscan.dll, of InterScan VirusWall for Windows NT.  It allows  a
    remote user to execute an arbitrary command with SYSTEM privilege.

    If  long  strings   are  included  in   a  certain  parameter   of
    configuration by  exploiting the  vulnerability that  was reported
    by SNS Advisory  No.28, a buffer  overflow occurs when  requesting
    the following dll:

        http://server/interscan/cgi-bin/smtpscan.dll

    The following are  a memory dump  and contents of  register when a
    buffer overflow occurs.

        dump:
              00F8E5C0 71 71 71 72 72 72 72 73 qqqrrrrs
              00F8E5C8 73 73 73 74 74 74 74 75 sssttttu
        
        register:
             EIP=73727272 ESP=00F8E5C8

    Therefore, arbitrary  code may  be executed  by calling  esp which
    may be replaced by an attacker's supplied arbitrary code.

    This has been discovered by Nobuo Miwa.

Solution

    To get the patch, send e-mail to support@support.trendmicro.com or
    search this issue on

        http://solutionbank.antivirus.com/solutions/solutionSearch.asp

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH