Bypassing TrendMicro InterScan VirusWall Overview According to our tests, TrendMicro VirusWall can be bypassed when using := * HTTP 1.1 chunked transfert encoding.=20 * HTTP 1.0 gzip content encoding for Windows platforms only.=20 Description While HTTP/1.0 includes the Content-Encoding header, which indicates the end-to-end content-coding(s) used for a message, HTTP/1.1 adds the Transfer-Encoding header, which indicates the hop-by-hop transfer-coding(s) used for a message. Thus, compression can be done either as a content-encoding or as a transfer-encoding.=20 The gzip Content Encoding Downloading a zipped file doesn't mean that the gzip content-encoding is used. In this case you will get a response where content-type is application/zip (see zip-file.txt trace). In the following examples, our web server is configured to use the gzip content-encoding.=20 The Chunk Transfert Encoding With the HTTP 1.1 chunked transfert encoding, the sender breaks the message body into chunks of arbitrary length, and each chunk is sent with its length prepended. The chunked transfert encoding is used when the HTTP server does not known the response message length, which is always the case when using gzip compression.=20 Proxy chaining may use HTTP 1.1 when :=20 * your MS Internet Explorer is configured to use it (see advanced options)=20 * your proxy chaining architecture requires HTTP 1.1 for perfomance issue=20 Vulnerable systems * InterScan VirusWall 3.6 Readhat 7.0 is vurlnerable to chunk transfert encoding.=20 * InterScan VirusWall 3.52 Windows is vurlnerable to both chunk transfert encoding and gzip content encoding.=20 Impact Although TrendMicro Interscan Virsuwall 3.x is not supposed to support HTTP 1.1, malicous files are correctly blocked over HTTP1.1 without the chunked transfert encoding. So, many users are probably using HTTP 1.1, leaving their systems vulnerable to virus or trojan attacks.=20 Windows users, may download any virus located on a web server that use the HTTP 1.0 gzip content encoding. Solutions * Use HTTP 1.0 for proxy chaining=20 * According to TrendMicro, InterScan Virswall version 5 should support HTTP 1.1 Chunked Transfert Encoding and is not vulnerable. Test it If you are protected by TrendMicro InterScan Viruswall, you can test it on http://www.althes.fr/virustest/index.html Regards, Vincent Royer Althes. *---------------------------------------------------------------* * Cet e-mail et toutes les pi=E8ces jointes sont destin=E9s aux * * seules personnes auxquelles ils sont sp=E9cifiquement adress=E9s * * et n'engagent que le signataire de ces documents et non la * * structure dont il d=E9pend. * * Leur existence et leur contenu ont un caract=E8re confidentiel. * * Toute utilisation ou diffusion non autoris=E9e est interdite. * * Si vous avez re=E7u cet e-mail ou si vous d=E9tenez sans en =EAtre * * le destinataire, nous vous demandons de bien vouloir nous en * * informer imm=E9diatement. * * Cette note assure que ce message a =E9t=E9 contr=F4l=E9 et ne * * comprenait aucun virus connu =E0 ce jour, n=E9anmoins tout * * message =E9lectronique est susceptible d'alt=E9ration. * * Nous d=E9clinons toute responsabilit=E9 au titre de ce message * * s'il a =E9t=E9 alt=E9r=E9, d=E9form=E9 ou falsifi=E9. = * *---------------------------------------------------------------* =20
