-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings! A quite well known (i.e. ancient) type of proxy vulnerability was found for TrendMicro's InterScan VirusWall V3.6 This general problem has been known to be an issue with plain HTTP proxies like the Squid for ages (e.g. http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.14). The vulnerability can be exploited using the CONNECT method to connect to a different server, e.g. an internal mailserver as port usage is completely unrestricted by the ISVW proxies V 3.6 Example: you = 6.6.6.666 Trendmicro ISVW = 1.1.1.1 (http proxy at port 80) Internal Mailserver = 2.2.2.2 connect with "telnet 1.1.1.1 80" to ISVW proxy and enter CONNECT 2.2.2.2:25 / HTTP/1.0 response: mail server banner - and running SMTP session e.g. to send SPAM from. You can connect to any TCP port on any machine the proxy can connect to. Telnet, SMTP, POP, etc. Solution: Update to ISVW 3.7 Build 1190 or newer (available since some weeks now). temp. Workarounds: - disable the HTTP proxy (safe but inconvenient) - You have a firewall that prevents unauthorized access to the Trend ISVW proxy, don't you? Volker Tanger IT-Security Consulting - -- discon gmbh Wrangelstraße 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger@discon.de http://www.discon.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE973gn0uordLlMxo4RArM4AJ0bMFRKrhuTa4+1jiBDjzwdDZYvdwCfdLNC JdU0ocAoE8/Kmzumk2k/NRQ= =C9cF -----END PGP SIGNATURE-----
