lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 14 Mar 2011 15:06:32 -0300
From: Ewerson Guimarães (Crash) - Dclabs <crash@...abs.com.br>
To: bugtraq@...urityfocus.com
Cc: dcLabs <dclabs@...abs.com.br>
Subject: [DCA-2011-0004] - Trend WebReputation API Bypass

[DCA-2011-0004]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):


[Software]
- Trend WebReputation API

[Vendor Product Description]
- Secure any endpoint – physical or virtual – with the industry’s strongest,
most reliable protection, while reducing the impact on your endpoint resources.
Harness the power of the cloud with to-the-second protection from the
Trend Micro Smart Protection Network.
Ground-breaking new virtualization awareness delivers the latest
endpoint solutions along with
peace of mind and innovative resource-saving technology to help you
defend against zero day threats with optional virtual patching.
- Source:http://us.trendmicro.com/us/products/enterprise/officescan/index.html


[Advisory Timeline]
- Advisory sent to vendor: 15/Feb/2011
- Vendor said there is no failure 15/Feb/2011
- Advisory sent again with demo video: 16/Feb/2011
- Vendor confirmed the bug 16/Feb/2011
- Vendor fixed the bug 17/Feb/2011
- Advisory coordinated to be published 18/Feb/2011
- Published 14/Mar/2011



 [Bug Summary]
 - Download content-filter circumvent

 [Impact]
 - Medium

 [Affected Version]
 - 10.5
 - Prior versions can also be affected but wasn't tested.

 [Bug Description and Proof of Concept]
 - Web Reputation download filter can be easily circumvented by adding
 a @ or a'question mark' (?) at the end of URL.

 POC:
 URL Blocked

 The URL that you are attempting to access is a potential security
 risk. Trend Micro OfficeScan has blocked this URL
 in keeping with network security policy.

 URL:    http://nmap.org/dist/nmap-5.51-setup.exe
 Risk Level:      Dangerous
 Details:        Verified fraud page or threat source


 Just  put ? in end:
 http://nmap.org/dist/nmap-5.51-setup.exe?

 Download successful

 Second POC:
 Demo Video: http://www.youtube.com/watch?v=J2Nd3wNWXPU

 All flaws described here were discovered and researched by:
 Ewerson Guimaraes (Crash)
 DcLabs Security Research Group
 crash <AT> dclabs <DOT> com <DOT> br

 [Workarounds]
 -

 [Credits]
 DcLabs Security Research Group.

-- 
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs Security Team
www.dclabs.com.br

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ