|
|
|
|
| |
| Vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. |
| |
Credit:
The information has been provided by The Zero Day Initiative (ZDI).
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-07-077.html
|
| |
Vulnerable Systems:
* Trend Micro ServerProtect version 5.58
The specific flaw exists in the SpntSvc.exe daemon, bound by default on TCP port 5168 and exposing the following DCE/RPC interface through TmRpcSrv.dll:
/* opcode: 0x00, address: 0x65741030 */
error_status_t sub_65741030 (
[in] handle_t arg_1,
[in] long arg_2,
[in][size_is(arg_4)] byte arg_3[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
Various sub-functions from StRpcSrv.dll are exposed in this interface and allow for full file system access that can be trivially leveraged to executed arbitrary code.
Vendor Response:
Trend Micro issued an update to correct this vulnerability on July 27th, 2007. More details can be found at:
http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt
Disclosure Timeline:
2007.02.01 - Vulnerability reported to vendor
2007.12.17 - Public release of advisory
|
|
|
|
|
