- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Trend Micro Inc.'s
<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html> ServerProtect is an anti-virus software for Microsoft Windows and Novell NetWare servers. It enables network administrators to manage multiple deployments from a single management console. Remote exploitation of multiple buffer overflow vulnerabilities in Trend Micro Inc.'s ServerProtect anti-virus software could allow attackers to execute arbitrary code with system level privilege.
DETAILS
Vulnerable Systems:
* Trend Micro ServerProtect for Windows version 5.58 Build 1176 (Security
Patch 3)
Immune Systems:
* Trend Micro ServerProtect for Windows Security Patch 4
The Trend ServerProtect service (SpntSvc.exe) handles RPC requests on TCP
port 5168 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. This
service utilizes the StRpcSrv.dll, Stcommon.dll, Eng50.dll and
Notification.dll libraries to service various RPC requests.
Three buffer overflows exist with the StRpcSrv.dll library. The first two
vulnerabilities exist within the RPCFN_ENG_NewManualScan and
RPCFN_ENG_TimedNewManualScan functions. These functions copy user-supplied
data into a fixed-size heap buffer without performing proper bounds
checking. The third problem exists within the RPCFN_SetComputerName
function. This function copies user-supplied data into a fixed-size stack
buffer using the MultiByteToWideChar() function without correctly
specifying the output buffer length.
Two stack-based buffer overflows exist within the Stcommon.dll library.
These problems specifically exist within the
RPCFN_CMON_SetSvcImpersonateUser and RPCFN_OldCMON_SetSvcImpersonateUser
functions. These functions copy user-supplied data into a fixed-size stack
buffer without performing proper bounds checking.
Two buffer overflows exist within the Eng50.dll library. These two issues
exist within the ENG_TakeActioinOnAFile and RPCFN_ENG_AddTaskExportLogItem
functions. Both of these functions copy user-supplied data into fixed-size
buffers without performing proper bounds checking. The
ENG_TakeActioinOnAFile function uses a buffer stored on the heap as the
destination, where as the RPCFN_ENG_AddTaskExportLogItem function uses a
buffer stored in stack memory.
A stack-based buffer overflow exists within the Notification.dll library.
This vulnerability specifically exists in the NTF_SetPagerNotifyConfig
function. This function copies user-supplied data into a fixed-size stack
buffer without performing proper bounds checking.
The Trend ServerProtect Agent service handles RPC requests on TCP port
3628 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. A
stack-based buffer overflow has been found to exist within the
RPCFN_CopyAUSrc function. This function copies user-supplied data into a
fixed-size stack buffer.
Analysis:
Exploitation allows attackers to execute arbitrary code with system level
privilege.
Exploitation requires that attackers send specially crafted RPC requests
to the Trend ServerProtect or Trend ServerProtect Agent services.
Vendor response:
Trend Micro has addressed these vulnerabilities with the release of
Security Patch 4 for ServerProtect. For more information consult the
release notes at the following URL:
<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt> http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>
CVE-2007-4218
Disclosure timeline:
06/14/2007 - Initial vendor notification
06/20/2007 - Initial vendor response
08/21/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment