[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CPNI INFOSEC ADVISORY - CPNI INFOSEC ADVISORY - 005/07 - Three iDefense Security Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 CPNI INFOSEC ADVISORY - 005/07 dated 08.02.07 time 13:15

 Centre for the Protection of National Infrastructure ______________________________________________________________________________

 Further details about CPNI, including information about our products can be

 found at www.cpni.gov.uk
______________________________________________________________________________

Title
=====

Three iDefense Security Advisories:

1. Trend Micro TmComm Local Privilege Escalation Vulnerability

2. Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability

3. RARLabs Unrar Password Prompt Buffer Overflow Vulnerability

Detail
======

1. Local exploitation of an input validation vulnerability within version
1.5.0.1052 of TmComm.sys as included with Trend Micro's AntiVirus engine could allow an attacker execute arbitrary code in kernel
context.

2. Remote exploitation of a buffer overflow vulnerability within Trend Micro's AntiVirus engine could allow an attacker to crash the
scan engine or execute arbitrary code.

3. Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary
code with the privileges of the user opening the archive.



1.



Trend Micro TmComm Local Privilege Escalation Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

The Trend Micro AntiVirus scan engine is widely relied upon to provide AntiVirus capabilities to desktop, server, and gateway
systems. The engine is licensed to several of Trend Micro's OEM partners. More information is available on Trend Micro's web site at
the following URL.

http://www.trendmicro.com/

II. DESCRIPTION

Local exploitation of an input validation vulnerability within version
1.5.0.1052 of TmComm.sys as included with Trend Micro's AntiVirus engine could allow an attacker execute arbitrary code in kernel
context.

This vulnerability specifically exists due to insecure permissions on the \\.\TmComm DOS device interface. The permissions on this
device allows "Everyone" write access. This could allow a locally logged in user to access functionality via IOCTLs which was
designed for privileged use only.

Additionally, the IOCTL handlers for this DOS device interface do not validate addresses passed to them. As such, it is possible to
overwrite arbitrary memory or execute attacker-supplied code in the context of the kernel (RING 0).

III. ANALYSIS

Exploitation allows an attacker to elevate privileges by overwriting arbitrary system memory or executing code within kernel
context.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in our vulnerability lab. The configuration at verification time was as
follows:

 * Trend Micro's PC-Cillin Internet Security 2007
 * TmComm.sys version 1.5.0.1052
 * VsapiNI.sys (scan engine) version 3.320.0.1003

All products using Trend Micro's scan engine should be considered vulnerable.

V. WORKAROUND

Removing write permissions for "Everyone" appears to prevent access to the vulnerable code. iDefense confirmed that the virus
scanning engine was still able to detect viruses. Although no side effects were witnessed in Lab tests, normal functionality may be
hindered.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends to customers to update their Anti-Rootkit Common Module to version
1.600-1052.

Products that are set to Automatic Update will be updated immediately.

Manual Updating can also be performed by using the product's "Update Now" function."

More information is available in Trend Micro's knowledge base at the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

01/17/2007  Initial vendor notification
01/19/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Ruben Santamarta of reversemode.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright C 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of
this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.



2.


Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

The Trend Micro AntiVirus scan engine provides anti-virus capabilities to desktop, server and gateway systems. The engine is
licensed to several of Trend Micro's OEM partners. More information is available on Trend Micro's web site at the following URL.

http://www.trendmicro.com/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability within Trend Micro's AntiVirus engine could allow an attacker to crash the
scan engine or execute arbitrary code.

This vulnerability is caused by improper input validation when scanning specially crafted malformed UPX compressed executables.
Memory corruption could occur leading to a invalid memory access or a potentially exploitable condition.

III. ANALYSIS

Exploitation allows attackers to crash the scan engine or execute arbitrary code.

This vulnerability could be used to gain unauthorized access to machines through common protocols, e.g. SMTP, HTTP, FTP. No
authentication is required for an attacker to leverage this vulnerability.

Under Windows, the scan engine runs in kernel context. Under Linux, the scan engine runs as a daemon with superuser privileges. As
such, an attacker can take complete control of the affected system if successful code execution is attained.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in our vulnerability lab. The configurations at verification time were as
follows:

 * Trend Micro's PC-Cillin Internet Security 2007
 * VsapiNI.sys (scan engine) version 3.320.0.1003

 * ServerProtect for Linux v2.5 on RHEL 4.x
 * vsapiapp version 8.310

Any implementations based on Trend Micro's AntiVirus scan engine are likely vulnerable in their default configuration.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

"To address this vulnerability, Trend Micro recommends customers to update to Virus Pattern File 4.245.00 or higher."

For more information, consult the Trend Micro Knowledge Base article at the link shown below.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034289

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

01/17/2007  Initial vendor notification
01/19/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright C 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of
this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.


3.


RARLabs Unrar Password Prompt Buffer Overflow Vulnerability

iDefense Security Advisory 02.07.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 07, 2007

I. BACKGROUND

Unrar is a command line archive extractor for Windows and Linux. For more information visit the vendor's site at the URL shown
below.

http://www.rarlabs.com/

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code
with the privileges of the user opening the archive.

Unrar is prone to a stack based buffer overflow when processing specially crafted password protected archives.

III. ANALYSIS

Exploitation of the vulnerability could allow an attacker to execute arbitrary code with the privileges of the user opening the
file.
Exploitation would require that an attacker hosts a maliciously crafted document on a website and entice users to visit the site. An
attacker could also e-mail the malicious document and use social engineering techniques to trick the e-mail recipient into opening
the document.

There are several mitigating factors for this vulnerability. Nearly all Windows users will use the GUI based WinRAR to open
archives, and it is not vulnerable. If users are using the vulnerable command line based unrar, they still need to interact with the
program in order to trigger the vulnerability. They must respond to the prompt asking for the password, after which the
vulnerability will be triggered. They do not need to enter a correct password, but they must at least push the enter key.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version 3.60 for Linux and 3.61 for Windows. Previous versions may
also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

RARLabs has addressed this vulnerability with the version 3.70 beta release of WinRAR.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

12/12/2006  Initial vendor notification
01/09/2007  Initial vendor response
02/07/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright C 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of
this alert in any other medium other than electronically, please e-mail customerservice@xxxxxxxxxxxx for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or reliance on, this information.


______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk by telephone. 

You may send Not Protectively Marked information via e-mail to infosec@xxxxxxxxxxxx

Office hours:

Mon - Fri: 09:00 - 16:30 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

CPNI wishes to acknowledge the contributions of iDefense for the information contained in this advisory.
______________________________________________________________________________

This advisory contains information released by the original author. Some of the information may have changed since it was released.
If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive
the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not
constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this
notice shall not be used for advertising or product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be
liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this
advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident
Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents,
and to promote information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of CPNI Advisory>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBRcs2NCKQGgncZloDAQIjNwgAg839TwqJdmD8JgSKCSq//tkNq/GioPnu
HSolidIvye1xCe+pNlFQCrEgGytnMmTFZrOPXp1YJI7C1ltwifvuiwl0e+JJozwJ
ZCM0dItqif6562dffeX0iFR1s2FJejmJz5XCLZWbkOOv5ccEDo4XoaZ5qNIdFwHK
komyud9hImePMhWmtzfItm9NQwyFRJqq49iwKNsGTyet+eyxGIDMs4VmQSCaxLj7
+9YyVrULJ0C/hQJxivs8djDunskVsN912w+u639OaDZ5LDx9snHr4iXKQ5KIbOeu
W8fzZGAJEnIK7jTfheUBlgairjnBNgTrkuThSb9OvDfrwmod1mY3EQ==
=jDFF
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________