Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Trend Micro ServerProtect RPCFN_SYNC_TASK Integer Overflow Vulnerab

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Trend Micro ServerProtect RPCFN_SYNC_TASK Integer Overflow Vulnerability
Date: 22 Aug 2007 11:03:09 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Trend Micro ServerProtect RPCFN_SYNC_TASK Integer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

Trend Micro Inc.'s  
<http://us.trendmicro.com/us/products/enterprise/serverprotect-for-microsoft-windows/index.html>
 ServerProtect is "an anti-virus software for Microsoft Windows and Novell 
NetWare servers. It enables network administrators to manage multiple 
deployments from a single management console". Remote exploitation of an 
integer overflow vulnerability in Trend Micro Inc.'s ServerProtect anti-virus 
software could allow attackers to execute arbitrary code with system level 
privilege.

DETAILS

Vulnerable Systems:
 * Trend Micro ServerProtect for Windows version 5.58 Build 1176 (Security 
Patch 3)

Immune Systems:
 * Trend Micro ServerProtect for Windows Security Patch 4

The Trend ServerProtect service (SpntSvc.exe) handles RPC requests on TCP 
port 5168 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. This 
service utilizes the StRpcSrv.dll library to service various RPC requests.

An integer overflow exists wtihin the RPCFN_SYNC_TASK function. This 
function allocates memory based on a user-supplied integer within the 
request data. By specifying a value that causes an integer overflow during 
arithmetic calculations, an attacker can cause too little memory to be 
allocated. User-supplied data is then copied into the resulting buffer 
using lstrcpyW. This results in an exploitable heap buffer overflow.

Analysis:
Exploitation allows attackers to execute arbitrary code with system level 
privilege.

Exploitation requires that attackers send specially crafted RPC requests 
to the Trend ServerProtect or Trend ServerProtect Agent services.

Vendor response:
Trend Micro has addressed these vulnerabilities with the release of 
Security Patch 4 for ServerProtect. For more information consult the 
release notes at the following URL:  
<http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt>
 
http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4219> 
CVE-2007-4219

Disclosure timeline:
06/14/2007 - Initial vendor notification
06/20/2007 - Initial vendor response
08/21/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Trend Micro ServerProtect RPCFN_SYNC_TASK Integer Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities, SecuriTeam
Next by Date:  [NT] ESRI ArcSDE Numeric Literal Buffer Overflow Vulnerability, SecuriTeam
Previous by Thread:  [NT] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities, SecuriTeam
Next by Thread:  [NT] ESRI ArcSDE Numeric Literal Buffer Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]