CERT-In Advisory CIAD-2007-46
Multiple Buffer Overflow Vulnerabilities in Trend Micro ServerProtect.
Original issue date:
August 24, 2007
Severity Rating: Medium
Systems Affected
Overview
Multiple buffer overflow vulnerabilities have been reported in Trend Micro ServerProtect which could be exploited by remote attackers to execute arbitrary code on the affected system with system level privilege.
Description
Trend Micro ServerProtect service (SpntSvc.exe ) handles RPC requests to TCP port 5168. The service makes use of modules stcommon.dll, earthagent.exe, eng50.dll, StRpcSrv.dll, Notification.dll to handle RPC requests.
1. stcommon.dll, earthagent.exe, eng50.dll, StRpcSrv.dll and Notification.dll Bufferoverflow Vulnerabilities.
( CVE-2007-4218 )
• Two buffer overflow vulnerabilities have been reported in stcommon.dll due to boundary error in functions RPCFN_CMON_SetSvcImpersonateUser and RPCFN_OldCMON_SetSvcImpersonateUser handling RPC calls. A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe at default TCP port 5168 to execute arbitrary code on the affected system.
• Three buffer overflow vulnerabilities have been reported in StRpcSrv.dll due to boundary error in functions RPCFN_ENG_TimedNewManualScan, RPCFN_SetComputerName and RPCFN_ENG_NewManualScan handling RPC calls. A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe at default TCP port 5168 to execute arbitrary code on the affected system.
• Two buffer overflow vulnerabilities have been reported in eng50.dll due to boundary error in functions RPCFN_ENG_TakeActionOnAFile and RPCFN_ENG_AddTaskExportLogItem handling RPC calls. A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe at default TCP port 5168 to execute arbitrary code on the affected system.
• Two buffer overflow vulnerabilities have been reported in earthagent.exe due to boundary error in functions RPCFN_EVENTBACK_DoHotFix and CMD_CHANGE_AGENT_REGISTER_ INFO handling RPC calls. A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe at default TCP port 5168 to execute arbitrary code on the affected system.
• A buffer overflow vulnerability has been reported in Notification.dll due to boundary error in function NTF_SetPagerNotifyConfig handling RPC calls. A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe at default TCP port 5168 to execute arbitrary code on the affected system.
• A buffer overflow vulnerability has been reported in Trend ServerProtect Agent service due to boundary error in RPCFN_CopyAUSrc function. A remote attacker could exploit the vulnerability by sending a specially crafted RPC requests to Agent Service at TCP Port 3628 and execute arbitrary code on the affected system.
2. StRpcSrv.dll RPCFN_SYNC_TASK() function Integer Overflow Vulnerability ( CVE-2007-4219 )
• An integer overflow vulnerability has been reported in StRpcSrv.dll due to boundary error in function RPCFN_SYNC_TASK which handles RPC calls. . A remote attacker could exploit the vulnerability by sending specially crafted RPC requests to SpntSvc.exe or Trend Micro ServerProtect Agent service at default TCP port 5168 to execute arbitrary code on the affected system.
Workarounds
- Block access to the vulnerable software from outside the network perimeter, specifically by blocking access to the ports used by the Trend Micro ServerProtect Agent service (3628/tcp) and Trend Micro ServerProtect service (5186/tcp).
- Use host-based firewalls to restrict access to specific hosts within the network.
Solution
Apply appropriate patch provided by vendor.
Trend Micro
http://www.trendmicro.com/download
Vendor Information
Trend Micro
http://www.trendmicro.com/ftp/documentation/readme/spnt_
558_win_en_securitypatch4_readme.txt
References
Idefense
http://labs.idefense.com/intelligence/vulnerabilities/display
.php?id=587
http://labs.idefense.com/intelligence/vulnerabilities/display
.php?id=588
US-CERT
http://www.kb.cert.org/vuls/byid?searchview&query=spnt_
558_win_en_securitypatch4
http://www.us-cert.gov/cas/techalerts/TA07-235A.html
Secunia
http://secunia.com/advisories/26523/
Security Focus
http://www.securityfocus.com/bid/25395
FrSirt
http://www.frsirt.com/english/advisories/2007/2934
CVE-Name
CVE-2007-4218
CVE-2007-4219
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
