TUCoPS :: Security App Flaws :: vwall1~3.htm

VirusWall for NT - HttpSaveC?P.dll remote execute arbitrary command 
Vulnerability

    HttpSaveC?P.dll

Affected

    TrendMicro InterScan VirusWall 3.51

Description

    Following is  based on  a SNS  Advisory No.35.   A buffer overflow
    vulnerability  was   found  in   some  administrative    programs,
    smtpscan.dll, of InterScan VirusWall for Windows NT.  It allows  a
    remote user to execute an arbitrary command with SYSTEM privilege.

    If  long  strings   are  included  in   a  certain  parameter   of
    configuration by  exploiting the  vulnerability that  was reported
    by SNS Advisory  No.28, a buffer  overflow occurs when  requesting
    the following dll(s):

        http://server/interscan/cgi-bin/HttpSaveCVP.dll
        http://server/interscan/cgi-bin/HttpSaveCSP.dll

    The following are  a memory dump  and contents of  register when a
    buffer overflow occurs.

        dump:
             023FFAC2  6D 6D 6D 6E 6E 6E  mmmnnn
             023FFAC8  6F 6F 6F 70 70 70  oooppp
        
        register:
             EAX = 023FFAC8 EIP = 6E6E6E6D

    Therefore, arbitrary  code may  be executed  by calling  eax which
    may be replaced by an attacker's supplied arbitrary code.

    Discovered by Nobuo Miwa.

Solution

    To get the patch, send e-mail to support@support.trendmicro.com or
    search this issue on

        http://solutionbank.antivirus.com/solutions/solutionSearch.asp

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH