[NT] Trend Micro ServerProtect Stack Overflow Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Trend Micro ServerProtect Stack Overflow Vulnerabilities
------------------------------------------------------------------------

SUMMARY

<https://imperia.trendmicro-europe.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html> Trend Micro ServerProtect - "Prevent viruses from spreading through your network by blocking them before they reach the end user."

Two stack overflow vulnerabilities has been discovered in Trend Micro
ServerProtect software.

DETAILS

Vulnerable Systems:
* ServerProtect version 5.58

TMregChange() Stack Overflow Vulnerability:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Trend Micro Server Protect. Authentication is
not required to exploit this vulnerability.

The specific flaw exists within the routine TMregChange() exported by
TMReg.dll which is reachable through the custom protocol subcode
"\x15\x00\x00\x00". The TCP socket bound to port 5005 receives
user-supplied data which is copied without proper bounds checking to a
stack-based buffer. Thereby resulting in an exploitable condition.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4731>
CVE-2007-4731

RPCFN_SetComputerName() Stack Overflow Vulnerability:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Trend Micro ServerProtect. Authentication is
not required to exploit this vulnerability.

The specific flaw is exposed through the RPC interface bound on TCP port
5168 and defined in SpntSvc.exe with the following UUID:
25288888-bd5b-11d1-9d53-0080c83a5c2c

The vulnerable function, RPCFN_SetComputerName(), is reached when the
custom protocols "subcode" is set to "\x30\x00\x0a\x00". Improper use of
the MultiByteToWideChar() API results in an exploitable stack based buffer
overflow.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4218>
CVE-2007-4218

Vendor Response:
Trend Micro has issued an update to correct this vulnerability -
ServerProtect5.58 Security Patch 4 - Build 1185. More details can be found
at:

<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt> http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt

Disclosure Timeline:
* 2007.07.17 - Vulnerability reported to vendor
* 2007.09.07 - Digital Vaccine released to TippingPoint customers
* 2007.09.07 - Coordinated public release of advisory

ADDITIONAL INFORMATION

The information has been provided by ZDI-07-051, ZDI-07-050.
The original article(s) can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-07-050.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-050.html

<http://www.zerodayinitiative.com/advisories/ZDI-07-051.html>

http://www.zerodayinitiative.com/advisories/ZDI-07-051.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.