---------------------------------------------------------------------------- - Texonet Security Advisory 20021210 ---------------------------------------------------------------------------- - Advisory ID : TEXONET-20021210 Authors : Joel Soderberg and Christer Oberg (advisories@texonet.com) Issue date : 12-10-2002 Application : PC-cillin (OfficeScan Corp. Edition 5.02) Version(s) : 2000, 2002 and 2003 Platforms : Windows 98/ME/2000/XP Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt ---------------------------------------------------------------------------- - Problem: ---------------------------------------------------------------------------- - PC-cillin has an unchecked buffer in pop3trap.exe Description: ---------------------------------------------------------------------------- - PC-cillin comes with a mail scanning feature that scans all incoming mail for viruses, this is accomplished by connecting the mail client to a local service listening on port 110 (pop3). This service is only listening for connections from the local machine and acts as a proxy. The program running this service is pop3trap.exe. Connecting to the local port 110 and sending a lot of characters will crash the program with a direct hit on the EIP, this makes it possible to run malicious code. The code will be run using the privileges of the user owning the pop3trap.exe process. Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110 Example 2: http://127.0.0.1:110/[put 1100 a's here] Workaround: ---------------------------------------------------------------------------- - Download the appropriate Service Pack from: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982 Disclosure Timeline: ---------------------------------------------------------------------------- - 11/14/2002: Vendor notified by e-mail 11/15/2002: Standard support reply received from vendor 11/15/2002: Requested contact information from vendor 11/15/2002: Reply received from vendor with contact recommendations 11/15/2002: Advisory sent in accordance to vendors recommendations 11/21/2002: Vendor has verified the issue and is working on the solution 12/10/2002: Issue released to the public About Texonet: ---------------------------------------------------------------------------- - Texonet is a Swedish based security company with a focus on penetration testing / security assessments, research and development. Contacting Texonet: ---------------------------------------------------------------------------- - E-mail: advisories@texonet.com Homepage: http://www.texonet.com/ Phone: +46-8-55174611
----------------------------------------------------------------------------- Texonet Security Advisory 20021210 ----------------------------------------------------------------------------- Advisory ID : TEXONET-20021210 Authors : Joel Soderberg and Christer Oberg (advisories@texonet.com) Issue date : 12-10-2002 Application : PC-cillin (OfficeScan Corp. Edition 5.02) Version(s) : 2000, 2002 and 2003 Platforms : Windows 98/ME/2000/XP Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt ----------------------------------------------------------------------------- Problem: ----------------------------------------------------------------------------- PC-cillin has an unchecked buffer in pop3trap.exe Description: ----------------------------------------------------------------------------- PC-cillin comes with a mail scanning feature that scans all incoming mail for viruses, this is accomplished by connecting the mail client to a local service listening on port 110 (pop3). This service is only listening for connections from the local machine and acts as a proxy. The program running this service is pop3trap.exe. Connecting to the local port 110 and sending a lot of characters will crash the program with a direct hit on the EIP, this makes it possible to run malicious code. The code will be run using the privileges of the user owning the pop3trap.exe process. Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110 Example 2: http://127.0.0.1:110/[put 1100 a's here] Workaround: ----------------------------------------------------------------------------- Download the appropriate Service Pack from: http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982 Disclosure Timeline: ----------------------------------------------------------------------------- 11/14/2002: Vendor notified by e-mail 11/15/2002: Standard support reply received from vendor 11/15/2002: Requested contact information from vendor 11/15/2002: Reply received from vendor with contact recommendations 11/15/2002: Advisory sent in accordance to vendors recommendations 11/21/2002: Vendor has verified the issue and is working on the solution 12/10/2002: Issue released to the public About Texonet: ----------------------------------------------------------------------------- Texonet is a Swedish based security company with a focus on penetration testing / security assessments, research and development. Contacting Texonet: ----------------------------------------------------------------------------- E-mail: advisories@texonet.com Homepage: http://www.texonet.com/ Phone: +46-8-55174611
