TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-07-01.html February 20, 2007 -- CVE ID: CVE-2007-1070 -- Affected Vendor: Trend Micro -- Affected Products: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by Digital Vaccine protection filter ID 5050. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information: // opcode: 0x00, address: 0x65741030 // uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c // version: 1.0 error_status_t rpc_opnum_0 ( [in] handle_t arg_1, [in] long trend_req_num, [in][size_is(arg_4)] byte overflow_str[], [in] long arg_4, [out][size_is(arg_6)] byte arg_5[], [in] long arg_6 ); The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x000a which results in a call to StRpcSrv.65673970(). The original arguments to the RPC endpoint are then passed to this called routine: 657416E6 mov eax, opnum0_call_table[eax*4] 657416ED test eax, eax 657416EF jnz short loc_65741707 ... 65741707 loc_65741707: 65741707 mov [ebp+var_4], 0 6574170E mov edx, [ebp+sizeof_arg5] 65741711 push edx 65741712 mov edx, [ebp+arg5_array] 65741715 push edx 65741716 mov edx, [ebp+sizeof_overflow_str] 65741719 push edx 6574171A mov edx, [ebp+overflow_str] 6574171D push edx 6574171E push ecx ; trend_req_num 6574171F call eax ; call handler The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'. --[ Vulnerability One A subcode value of either 0x0011 or 0x0017 results in the following call: 65674D7F push ebx ; overflow_str 65674D80 call CMON_NetTestConnection A stack overflow occurs within the routine CMON_NetTestConnection() due to an unbounded widechar wsprintf() into a 44 byte stack based buffer as shown in the following relevant excerpt: 65634AC5 xor ecx, ecx 65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer 65634ACB mov cx, [eax] 65634ACE push ecx 65634ACF push ebx ; 1st arg 65634AD0 push offset str_SC ; "\\\\%s\\%c$" 65634AD5 push edx ; LPWSTR 65634AD6 call ds:wsprintfW ; vuln! --[ Vulnerability Two A subcode value of either 0x0008 or 0x0009 results in calls to CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of these routines subsequently call StCommon.65631220() which can result in a stack overflow due to an unbounded widechar lstrcat() into a 2k stack-based buffer as shown in the following relevant excerpt: 65631311 lea edx, [esp+0A78h+buf] 65631318 push ebp ; lpString2 65631319 push edx ; lpString1 6563131A call ebx ; lstrcatW ; stack overflow The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user. -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 -- Disclosure Timeline: 2007.01.16 - Digital Vaccine released to TippingPoint customers 2007.01.19 - Vulnerability reported to vendor 2007.02.20 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.