TrendMicro Interscan Viruswall Directory Traversal ================================================= PROGRAM: TrendMicro Interscan Viruswall HOMEPAGE: http://www.trendmicro.com VULNERABLE VERSIONS: - 3.5x (Windows) - Unix/Solaris version is not tested but possibly vulnerable DESCRIPTION ================================================= InterScan VirusWall provides intelligent content scanning to prevent virus outbreaks. It blocks spam, non-business related messages, and attachments to protect enterprise network and business integrity. DETAILS ================================================= Interscan Web Viruswall, a part of Interscan Viruswall package, is a web proxy/gateway service that has a responsibility to scan virus "on-the-fly" before it reach the user browser. In Interscan Web Viruswall, there is a builtin mechanism that allows anybody to read files at the /ishttp/localweb directory by using such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs point to different directories (except sub-directories of "localweb") won't trigger the mechanism and will be forwarded to the proxy which the service is set up to. The reason there such a "feature" is because Interscan Web Viruswall has another feature (not turned on by default) called TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip) to allow user to see the scanning process. Unfortunately, that built-in mini webserver has a directory traversal problem. By using such an URL like this, an evil genius ;-) can access to files outside the localweb directory: http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe will download the service executable file or http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat will download the autoexec.bat file in the root directory. WORKAROUND ================================================= Administrators should be aware that even the TeleWindow feature is not turned on, the vulnerability can sill be exploited since the mini-webserver is hardcoded and it can't be turned off by using the configuration interface. Apply the patch from TrendMicro or temporarily stop using the Interscan Web Viruswall until the patch is issued. Update: The technical support email virus_doctor@trendmicro.com was sent an email concern about this problem. However, it has been 6 days and we haven't received any reponses yet. CREDITS ================================================= Discovered by Tri Huynh from SentryUnion DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh@zeeup.com