Title: Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack Buffer Overflow Vulnerabilities
Severity: CRITICAL
Description:
Trend Micro ServerProtect is an antivirus application designed specifically for servers.
ServerProtect is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. These issues affect:
- The 'CMON_NetTestConnection()' routine when arbitrary unbounded data to a 'wsprintf()' call is copied to a 44-byte buffer.
- The 'CMON_ActiveUpdate()' and 'CMON_ActiveRollback()' routines when arbitrary unbounded data will be copied to 'lstrcat()' calls to be copied to a 2-kilobyte buffer.
- The 'ENG_SetRealTimeScanConfigInfo()' routine when arbitrary unbounded data will be copied to a '_wscpy()' string copy routine to be copied to a buffer of about 600 bytes.
- The 'ENG_SendEmail()' routine when arbitrary unbounded data will be copied to a '_wscpy()' string copy routine to be copied to a buffer of about 2 kilobytes.
These issues reside in the 'StCommon.dll' and 'eng50.dll' libraries which are used by the 'SpntSvc.exe' service.
An attacker can exploit these issues by sending specially crafted data to an RPC enpoint over TCP port 5168.
Exploiting these issues allow attackers to execute arbitrary machine code with SYSTEM-level privileges.
UPDATE (August 23, 2007): Symantec has confirmed that the issue affecting the 'ENG_SetRealTimeScanConfigInfo()' routine is actively being exploited in the wild. After leveraging the issue, the exploit code downloads malicious DLLs from IP adress 61.129.11.73 over port 1000. Block access to this IP address at the network boundary to reduce the impact of successful attacks.
Affected Products:
- Trend Micro ServerProtect for EMC 5.58
- Trend Micro ServerProtect for Network Appliance Filer 5.61
- Trend Micro ServerProtect for Network Appliance Filer 5.62
- Trend Micro ServerProtect for Windows 5.58
References:
- Tipping Point: TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilitie
- Tipping Point: TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
- Trend Micro: Trend Micro Homepage
- Trend Micro: [Vulnerability Response] Buffer overflow in ServerProtect
- US-CERT: Vulnerability Note VU#349393 - Trend Micro ServerProtect ENG_SendEMail() stack b
- US-CERT: Vulnerability Note VU#466609 - Trend Micro ServerProtect STCommon stack buffer o
- US-CERT: Vulnerability Note VU#630025 - Trend Micro ServerProtect fails ENG_SetRealTimeSc
- US-CERT: Vulnerability Note VU#730433 - Trend Micro ServerProtect CMON_NetTestConnection(
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
