Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0123 -- [Win]
Multiple vulnerabilities in Trend Micro ServerProtect
21 February 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
Publisher: TippingPoint
Operating System: Windows Server 2003
Windows 2000
Windows NT
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-1070
Original Bulletin:
http://www.tippingpoint.com/security/advisories/TSRT-07-01.html
http://www.tippingpoint.com/security/advisories/TSRT-07-02.html
Comment: This bulletin contains 2 advisories regarding vulnerabilities in
Trend Micro ServerProtect.
- --------------------------BEGIN INCLUDED TEXT--------------------
TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow
Vulnerabilities
http://www.tippingpoint.com/security/advisories/TSRT-07-01.html
February 20, 2007
- -- CVE ID:
CVE-2007-1070
- -- Affected Vendor:
Trend Micro
- -- Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since January 16, 2007 by Digital Vaccine protection
filter ID 5050. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
- -- Vulnerability Details:
These vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Trend Micro ServerProtect. Authentication
is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are
reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to
by the service SpntSvc.exe. The RPC endpoint is exposed from
TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is
used within TmRpcSrv.dll as an index into a call table. It must
specifically be 0x000a which results in a call to StRpcSrv.65673970().
The original arguments to the RPC endpoint are then passed to this
called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used
within StRpcSrv.dll as an index into a second call table. The value of
this lower half controls the code flow to the following vulnerabilities
and is hereto referred to as the 'subcode'.
- --[ Vulnerability One
A subcode value of either 0x0011 or 0x0017 results in the following
call:
65674D7F push ebx ; overflow_str
65674D80 call CMON_NetTestConnection
A stack overflow occurs within the routine CMON_NetTestConnection() due
to an unbounded widechar wsprintf() into a 44 byte stack based buffer as
shown in the following relevant excerpt:
65634AC5 xor ecx, ecx
65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer
65634ACB mov cx, [eax]
65634ACE push ecx
65634ACF push ebx ; 1st arg
65634AD0 push offset str_SC ; "\\\\%s\\%c$"
65634AD5 push edx ; LPWSTR
65634AD6 call ds:wsprintfW ; vuln!
- --[ Vulnerability Two
A subcode value of either 0x0008 or 0x0009 results in calls to
CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of
these routines subsequently call StCommon.65631220() which can result
in a stack overflow due to an unbounded widechar lstrcat() into a 2k
stack-based buffer as shown in the following relevant excerpt:
65631311 lea edx, [esp+0A78h+buf]
65631318 push ebp ; lpString2
65631319 push edx ; lpString1
6563131A call ebx ; lstrcatW ; stack overflow
The resulting stack overflows can be leveraged to execute arbitrary
code under the privileges of the SYSTEM user.
- -- Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
- -- Disclosure Timeline:
2007.01.16 - Digital Vaccine released to TippingPoint customers
2007.01.19 - Vulnerability reported to vendor
2007.02.20 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by Pedram Amini,
TippingPoint Security Research Team.
TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow
Vulnerabilities
http://www.tippingpoint.com/security/advisories/TSRT-07-02.html
February 20, 2007
- -- CVE ID:
CVE-2007-1070
- -- Affected Vendor:
Trend Micro
- -- Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
- -- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since January 16, 2007 by Digital Vaccine protection
filter ID 5101. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
- -- Vulnerability Details:
These vulnerabilities allow attackers to execute arbitrary code on
vulnerable installations of Trend Micro ServerProtect. Authentication
is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are
reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to
by the service SpntSvc.exe. The RPC endpoint is exposed from
TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is
used within TmRpcSrv.dll as an index into a call table. It must
specifically be 0x0003 which results in a call to StRpcSrv.65671000().
The original arguments to the RPC endpoint are then passed to this
called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used
within StRpcSrv.dll as an index into a second call table. The value of
this lower half controls the code flow to the following vulnerabilities
and is hereto referred to as the 'subcode'.
- --[ Vulnerability One
A subcode value of 0x0004 results in a call to
ENG_SetRealTimeScanConfigInfo() which subsequently calls through
Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result
in a stack overflow due to an unbounded widechar string copy into a ~600
byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy
- --[ Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which
can result in a stack overflow due to an unbounded widechar string copy
into a ~2k stack-based buffer as shown in the following relevant
excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy
The resulting stack overflows can be leveraged to execute arbitrary
code under the privileges of the SYSTEM user.
- -- Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More
details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
- -- Disclosure Timeline:
2007.02.01 - Vulnerability reported to vendor
2007.01.16 - Digital Vaccine released to TippingPoint customers
2007.02.20 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by Pedram Amini,
TippingPoint Security Research Team.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRdvcnSh9+71yA2DNAQLQBQQAl8tKNpsqvN70fnY98xrqy8c9FPAr/6go
929NM6K0C7anF3sFqy+qIoK5UykAM/fqPHcB9OwDSH5SqrAkjYVjWG4dtYz4IvZY
x32Xpoo9B+oOHyRCTOeYuzhv7Eh45glXlQkRj2G3ger03fRbnrp2GKYaNw5611eY
8yQ+a4yEYjc=
=xe4N
-----END PGP SIGNATURE-----