|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=588
|
| |
Vulnerable Systems:
* Trend Micro ServerProtect for Windows version 5.58 Build 1176 (Security Patch 3)
Immune Systems:
* Trend Micro ServerProtect for Windows Security Patch 4
The Trend ServerProtect service (SpntSvc.exe) handles RPC requests on TCP port 5168 with interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. This service utilizes the StRpcSrv.dll library to service various RPC requests.
An integer overflow exists wtihin the RPCFN_SYNC_TASK function. This function allocates memory based on a user-supplied integer within the request data. By specifying a value that causes an integer overflow during arithmetic calculations, an attacker can cause too little memory to be allocated. User-supplied data is then copied into the resulting buffer using lstrcpyW. This results in an exploitable heap buffer overflow.
Analysis:
Exploitation allows attackers to execute arbitrary code with system level privilege.
Exploitation requires that attackers send specially crafted RPC requests to the Trend ServerProtect or Trend ServerProtect Agent services.
Vendor response:
Trend Micro has addressed these vulnerabilities with the release of Security Patch 4 for ServerProtect. For more information consult the release notes at the following URL: http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt
CVE Information:
CVE-2007-4219
Disclosure timeline:
06/14/2007 - Initial vendor notification
06/20/2007 - Initial vendor response
08/21/2007 - Coordinated public disclosure
|
|
|
|
|
