Intrusion Prevention IPS | TippingPoint, a division of 3Com

TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities
February 20, 2007

CVE ID:

CVE-2007-1070

Affected Vendor:

Affected Products:

ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62

TippingPoint(TM) IPS Customer Protection:

TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS:

http://www.tippingpoint.com

Vulnerability Details:

These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.

The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:

    // opcode:  0x00, address: 0x65741030
    // uuid:    25288888-bd5b-11d1-9d53-0080c83a5c2c
    // version: 1.0
    
    error_status_t   rpc_opnum_0 (
     [in] handle_t  arg_1,
     [in] long  trend_req_num,
     [in][size_is(arg_4)] byte overflow_str[],
     [in] long  arg_4,
     [out][size_is(arg_6)] byte arg_5[],
     [in] long  arg_6
    );

The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:

    657416E6     mov eax, opnum0_call_table[eax*4]
    657416ED     test eax, eax
    657416EF     jnz short loc_65741707
    ...
    65741707 loc_65741707:
    65741707     mov [ebp+var_4], 0
    6574170E     mov edx, [ebp+sizeof_arg5]
    65741711     push edx
    65741712     mov edx, [ebp+arg5_array]
    65741715     push edx
    65741716     mov edx, [ebp+sizeof_overflow_str]
    65741719     push edx
    6574171A     mov edx, [ebp+overflow_str]
    6574171D     push edx
    6574171E     push ecx       ; trend_req_num
    6574171F     call eax       ; call handler

The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.

Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:

    61190FC7 lea edx, [esp+288h+szShortPath]
    61190FCB push esi
    61190FCC push edx
    61190FCD call _wcscpy

Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:

    6118A161 mov esi, [esp+780h+arg_0]
    6118A168 lea eax, [esp+780h+var_778]
    6118A16C push esi
    6118A16D push eax
    6118A16E call _wcscpy

The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.

Vendor Response:

Trend Micro has issued an update to correct this vulnerability. More details can be found at:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290

Disclosure Timeline:

2007.01.16	Digital Vaccine released to TippingPoint customers
2007.02.01	Vulnerability reported to vendor
2007.02.20	Coordinated public release of advisory

Credit:

This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.