lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <008801c411b2$48147e50$329f8018@su1>
From: trihuynh at zeeup.com (Tri Huynh)
Subject: TrendMacro Interscan Viruswall Directory Traversal


   TrendMacro Interscan Viruswall Directory Traversal
   =================================================

   PROGRAM: TrendMacro Interscan Viruswall
   HOMEPAGE: http://www.trendmicro.com
   VULNERABLE VERSIONS: - 3.5x (Windows)
                                                  - Unix/Solaris version is
not tested but possibly
                                                     vulnerable

  DESCRIPTION
   =================================================

  InterScan VirusWall provides intelligent content scanning
  to prevent virus outbreaks. It blocks spam, non-business
  related messages, and attachments to protect enterprise
  network and business integrity.

   DETAILS
   =================================================

   Interscan Web Viruswall, a part of Interscan Viruswall package, is a web
   proxy/gateway service that has a responsibility to scan virus
  "on-the-fly" before it reach the user browser. In Interscan
   Web Viruswall, there is a builtin mechanism that
   allows anybody to read files at the /ishttp/localweb directory by using
   such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs
point to
  different directories (except sub-directories of "localweb")  won't
trigger the
   mechanism and will be forwarded to the proxy which the service
   is set up to. The reason there such a "feature" is because Interscan
   Web Viruswall  has another feature (not turned on by default) called
   TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip)
   to allow user to see the scanning process. Unfortunately, that built-in
mini
   webserver has a directory traversal problem. By using such an URL like
this,
   an evil genius ;-) can access to files outside the
   localweb directory:
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
   will download the service executable file or

http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat
   will download the autoexec.bat file in the root directory.

   WORKAROUND
   =================================================
   Administrators should be aware that even the TeleWindow feature is not
   turned on, the vulnerability can sill be exploited since the
   mini-webserver is hardcoded and it can't be turned off by using the
configuration
   interface.

  Apply the patch from TrendMacro or temporarily stop using the Interscan
  Web Viruswall until the patch is issued.

  Update: The technical support email  virus_doctor@...ndmacro.com was
  sent an email concern about this problem. However, it has been 6 days
  and we haven't received any reponses yet.

  CREDITS
   =================================================

   Discovered by Tri Huynh from SentryUnion


   DISLAIMER
   =================================================

   The information within this paper may change without notice. Use of
   this information constitutes acceptance for use in an AS IS condition.
   There are NO warranties with regard to this information. In no event
   shall the author be liable for any damages whatsoever arising out of
   or in connection with the use or spread of this information. Any use
   of this information is at the user's own risk.


   FEEDBACK
   =================================================

   Please send suggestions, updates, and comments to: trihuynh@...up.com




Powered by blists - more mailing lists