"ServerProtect provides comprehensive antivirus scanning for servers, detecting and removing viruses from files and compressed files in real time"
These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.
Vulnerable Systems:
* ServerProtect for Windows 5.58
* ServerProtect for EMC 5.58
* ServerProtect for Network Appliance Filer 5.61
* ServerProtect for Network Appliance Filer 5.62
The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x000a which results in a call to StRpcSrv.65673970(). The original arguments to the RPC endpoint are then passed to this called routine:
The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.
Vulnerability One:
A subcode value of either 0x0011 or 0x0017 results in the following call:
A stack overflow occurs within the routine CMON_NetTestConnection() due to an unbounded widechar wsprintf() into a 44 byte stack based buffer as shown in the following relevant excerpt:
Vulnerability Two:
A subcode value of either 0x0008 or 0x0009 results in calls to CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of these routines subsequently call StCommon.65631220() which can result in a stack overflow due to an unbounded widechar lstrcat() into a 2k stack-based buffer as shown in the following relevant excerpt:
Disclosure Timeline:
* 2007.01.16 - Digital Vaccine released to TippingPoint customers
* 2007.01.19 - Vulnerability reported to vendor
* 2007.02.20 - Coordinated public release of advisory
