[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[DCA-2011-0004] - Trend WebReputation API Bypass
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [DCA-2011-0004] - Trend WebReputation API Bypass
- From: Ewerson Guimarães (Crash) - Dclabs <crash@xxxxxxxxxxxxx>
- Date: Mon, 14 Mar 2011 15:06:32 -0300
- Cc: dcLabs <dclabs@xxxxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:date:x-google-sender-auth :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=iRnKsZd/FRgwykRKu818XTVpzAZ6qi/7SzosDnAYTls=; b=SHbPyjvIcuqvWioom2MhSb6YdwGb6Lf9j/YoQvB5NpudmP75BhalTK+Z3qvJmok7de V6lVUMG253Psqq+IjgrB9ykWL8uLwsaG3AVQtBO5vkDuqvCCunoem58s9QXNnPV005dO 60HkL/yYJ4KwadyPp4N/5NjU0Ln4RKSBujdX8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; b=SqjzEnxuPfgOV2BOJpnEdyDpM2jWrJYr0PSLVY5A1PEeAm3K4D2sx+yycPSjan3zSW JX+g0dNmUUXAWn4tfPKqX947je+aFt4FwkEdxXEOWiBWAAKMkhsAuFcOXifIN3GAXJDo 0p+5C4HaLm+DsOrVcGNieNmPFZ4x0G7qgL/8E=
- List-help: <mailto:firstname.lastname@example.org>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:email@example.com>
- List-subscribe: <mailto:firstname.lastname@example.org>
- List-unsubscribe: <mailto:email@example.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: crashbrz@xxxxxxxxx
- DcLabs Security Research Group advises about following vulnerability(ies):
- Trend WebReputation API
[Vendor Product Description]
- Secure any endpoint – physical or virtual – with the industry’s strongest,
most reliable protection, while reducing the impact on your endpoint resources.
Harness the power of the cloud with to-the-second protection from the
Trend Micro Smart Protection Network.
Ground-breaking new virtualization awareness delivers the latest
endpoint solutions along with
peace of mind and innovative resource-saving technology to help you
defend against zero day threats with optional virtual patching.
- Advisory sent to vendor: 15/Feb/2011
- Vendor said there is no failure 15/Feb/2011
- Advisory sent again with demo video: 16/Feb/2011
- Vendor confirmed the bug 16/Feb/2011
- Vendor fixed the bug 17/Feb/2011
- Advisory coordinated to be published 18/Feb/2011
- Published 14/Mar/2011
- Download content-filter circumvent
- Prior versions can also be affected but wasn't tested.
[Bug Description and Proof of Concept]
- Web Reputation download filter can be easily circumvented by adding
a @ or a'question mark' (?) at the end of URL.
The URL that you are attempting to access is a potential security
risk. Trend Micro OfficeScan has blocked this URL
in keeping with network security policy.
Risk Level: Dangerous
Details: Verified fraud page or threat source
Just put ? in end:
Demo Video: http://www.youtube.com/watch?v=J2Nd3wNWXPU
All flaws described here were discovered and researched by:
Ewerson Guimaraes (Crash)
DcLabs Security Research Group
crash <AT> dclabs <DOT> com <DOT> br
DcLabs Security Research Group.
Ewerson Guimaraes (Crash)
DcLabs Security Team