Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
BID:22639
Info
Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
| Bugtraq ID: | 22639 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-1070 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 20 2007 12:00AM |
| Updated: | Sep 06 2007 06:32PM |
| Credit: | Pedram Amini of the TippingPoint Security Research Team is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Trend Micro ServerProtect for Windows 5.58 Trend Micro ServerProtect for Network Appliance Filer 5.62 Trend Micro ServerProtect for Network Appliance Filer 5.61 Trend Micro ServerProtect for EMC 5.58 |
| Not Vulnerable: | |
Discussion
Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
Trend Micro ServerProtect is prone to multiple remote stack-based buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code with SYSTEM-level privileges.
Trend Micro ServerProtect is prone to multiple remote stack-based buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code with SYSTEM-level privileges.
Exploit / POC
Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
The following exploit is available to members of the Immunity Partner's program:
https://www.immunityinc.com/downloads/immpartners/tm_sprotect.tar
UPDATE (August 23, 2007): Symantec has confirmed that the issue affecting the 'ENG_SetRealTimeScanConfigInfo()' routine is actively being exploited in the wild. After leveraging the issue, the exploit code downloads malicious DLLs from IP adress 61.129.11.73 over port 1000. Block access to this IP address at the network boundary to reduce the impact of successful attacks.
The W32.Spybot.ATZN worm is known to use this vulnerability.
The following exploit has been released.
The following exploit is available to members of the Immunity Partner's program:
https://www.immunityinc.com/downloads/immpartners/tm_sprotect.tar
UPDATE (August 23, 2007): Symantec has confirmed that the issue affecting the 'ENG_SetRealTimeScanConfigInfo()' routine is actively being exploited in the wild. After leveraging the issue, the exploit code downloads malicious DLLs from IP adress 61.129.11.73 over port 1000. Block access to this IP address at the network boundary to reduce the impact of successful attacks.
The W32.Spybot.ATZN worm is known to use this vulnerability.
The following exploit has been released.
Solution / Fix
Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Trend Micro ServerProtect for Windows 5.58
Solution:
The vendor has released fixes to address these issues. Please see the references for more information.
Trend Micro ServerProtect for Windows 5.58
-
Trend Micro spnt_558_win_en_securitypatch1.exe
http://www.trendmicro.com/ftp/products/patches/spnt_558_win_en_securit ypatch1.exe
References
Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
References:
References:
- Trend Micro Homepage (Trend Micro)
- TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilitie (Tipping Point)
- TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities (Tipping Point)
- [Vulnerability Response] Buffer overflow in ServerProtect (Trend Micro)
- TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilitie (Tipping Point)
- TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities (Tipping Point)
- Vulnerability Note VU#349393 - Trend Micro ServerProtect ENG_SendEMail() stack b (US-CERT)
- Vulnerability Note VU#466609 - Trend Micro ServerProtect STCommon stack buffer o (US-CERT)
- Vulnerability Note VU#630025 - Trend Micro ServerProtect fails ENG_SetRealTimeSc (US-CERT)
- Vulnerability Note VU#730433 - Trend Micro ServerProtect CMON_NetTestConnection( (US-CERT)