---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA26523 VERIFY ADVISORY: http://secunia.com/advisories/26523/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: Trend Micro ServerProtect for Windows/NetWare 5.x http://secunia.com/product/1153/ DESCRIPTION: Some vulnerabilities have been reported in Trend Micro ServerProtect, which can be exploited by malicious people to compromise a vulnerable system. 1) An integer overflow error within the RPCFN_SYNC_TASK function in StRpcSrv.dll can be exploited to cause a heap-based buffer overflow via a specially crafted RPC request to SpntSvc.exe on default port 5168/TCP. 2) Boundary errors within the RPCFN_ENG_NewManualScan, RPCFN_ENG_TimedNewManualScan, and RPCFN_SetComputerName functions in StRpcSrv.dll can be exploited to cause stack-based buffer overflows via specially crafted RPC requests to SpntSvc.exe on default port 5168/TCP. 3) Boundary errors within the RPCFN_CMON_SetSvcImpersonateUser and RPCFN_OldCMON_SetSvcImpersonateUser functions in Stcommon.dll can be exploited to cause stack-based buffer overflows via specially crafted RPC requests to SpntSvc.exe on default port 5168/TCP. 4) Boundary errors within the RPCFN_ENG_TakeActionOnAFile and RPCFN_ENG_AddTaskExportLogItem functions in Eng50.dll can be exploited to cause heap- and stack-based buffer overflows via specially crafted RPC requests to SpntSvc.exe on default port 5168/TCP. 5) A boundary error within the NTF_SetPagerNotifyConfig function in Notification.dll can be exploited to cause a stack-based buffer overflow via a specially crafted RPC request to SpntSvc.exe on default port 5168/TCP. 6) A boundary error within the RPCFN_CopyAUSrc function in the Trend ServerProtect Agent service can be exploited to cause a stack-based buffer overflow via a specially crafted RPC request sent to default port 3628/TCP. 7) Boundary errors within the RPCFN_EVENTBACK_DoHotFix and CMD_CHANGE_AGENT_REGISTER_INFO in earthagent.exe can be exploited to cause buffer overflows. Successful exploitation of the vulnerabilities allows execution of arbitrary code. The vulnerabilities are reported in ServerProtect for Windows version 5.58 Build 1176. Other versions may also be affected. SOLUTION: Apply Security Patch 4 - Build 1185. http://www.trendmicro.com/ftp/products/patches/spnt_558_win_en_securitypatch4.exe PROVIDED AND/OR DISCOVERED BY: 1-6) Reported via iDefense Labs by: * Code Audit Labs * Two anonymous researchers * Jun Mao, iDefense Labs 7) Reported by the vendor. ORIGINAL ADVISORY: Trend Micro: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------