-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FOR PUBLIC RELEASE - ------------------------------------------------------------------------ Inside Security GmbH Vulnerability Notification Revision 0.3 2002-03-10 - ------------------------------------------------------------------------ The latest version of this document is available at http://www.inside-security.de/vwall_cl0.html A demo server and proof of concept code are available at http://www.inside-security.de/vwall_cl0_poc.html - ------------------------------------------------------------------------- Trend Micro InterScan VirusWall HTTP proxy content scanning circumvention - ------------------------------------------------------------------------- Summary: Trend Micro InterScan VirusWall contains a HTTP proxy that prevents users from downloading virus-infected content by scanning the data received from a web server before passing it to the client. However, the default configuration of the HTTP proxy will cause it to skip content scanning if a malicious web server provides a modified HTTP header, thereby letting virus-infected content pass. Impact: Users behind the VirusWall can unintentionally download virus-infected content from a malicious web server without being protected by the VirusWall. Affected systems: Trend Micro InterScan VirusWall 3.6 Releases tested: Trend Micro InterScan VirusWall 3.6 for Red Hat Linux 6.2 Vendor status: The vendor was informed 2002/02/25 and replied that a major change in the software would be needed to fix this issue and agreed with our suggested workaround below adding the server timeout comment. Detailed description: The Trend Micro InterScan VirusWall HTTP proxy contains a configuration option called "Skip scanning if Content-length equals 0". This option is enabled by default and only mentioned but not explained in the administrator's guide. It may be useful to prevent scanning of "empty" web pages. If this option is enabled and the proxy receives a document from a web server with real content, but which is preceded by a HTTP header with content-length field set to 0, it will pass the document to the client without scanning it. Of course, the web server must have been modified to return a zero content length field when serving a virus-infected document. This could e.g. have been done by a malicious webmaster or an intruder with the intent to trick users into downloading virus-infected content from his/her site. Unfortunately many web browsers e.g. Netscape 4.7, Netscape 6 and MSIE 6 will ignore the zero content-length field in the HTTP header and still download the document. Proof of concept: A modified server to demonstrate the vulnerability and proof of concept source code are available at http://www.inside-security.de/vwall_cl0_poc.html The tests are done with the EICAR anti-virus test file, for more information about the anti-virus test file visit the European Institute for Computer Anti-Virus Research (EICAR) at http://www.eicar.org/ Suggested workaround: Disable the "Skip scanning if Content-length equals 0" option in the HTTP proxy configuration using the VirusWall web administration interface. When disabled certain sites may display slowly, in this case the "server timeout" value on the advanced configuration page should be configured to a smaller value. Credits: This vulnerability was found and documented by Jochen Thomas Bauer <jtb@inside-security.de> and Boris Wesslowski <bw@inside-security.de> of Inside Security GmbH, Stuttgart, Germany. - ------------------------------------------------------------------------ (C) 2002 Inside Security GmbH This notice may be redistributed freely provided that redistributed copies are complete and unmodified, and include all date and version information. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE8jKGpjZjTvnUSw/YRAoeYAJ9Xn8chqRdXGs1cWoFrhw0qCrbGTwCdFn7d CN6rvogObY5ug4/PowuS1pQ= =RGX9 -----END PGP SIGNATURE-----
