10 - VU#204448

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	Trend Micro ServerProtect Agent service RPC stack-buffer overflow

Informations
Name	VU#204448	First vendor Publication	2007-08-23
Vendor	VU-CERT	Last vendor Modification	2007-09-10
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#204448

Trend Micro ServerProtect Agent service RPC stack-buffer overflow

Overview

Trend Micro ServerProtect Agent service fails to properly handle RPC requests. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.

I. Description

The Trend Micro ServerProtect Agent service handles RPC Remote Procedure Calls (RPC) using port 3628/tcp. The Trend Micro ServerProtect Agent fails to properly validate RPC requests, possibly allowing a stack-based buffer overflow to occur. A remote, unauthenticated attacker can trigger this overflow vulnerability by sending a specially crafted RPC request to the RPCFN_CopyAUSrc function.

More information can be found in the README file for Security Patch 4.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

III. Solution

Apply a patch

Trend Micro has addressed these vulnerabilities with Security Patch 4.

Restrict Access to the Trend Micro ServerProtect Agent

Until the patch can be applied you may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Trend Micro ServerProtect Agent service (3628/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Systems Affected

Vendor	Status	Date Updated
Trend Micro	Vulnerable	23-Aug-2007

References

http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=587
http://secunia.com/advisories/26523/
http://www.zerodayinitiative.com/advisories/ZDI-07-050.html

Credit

This vulnerabilities were reported by iDefense Labs. iDefense Labs in turn credits Code Audit Labs, Jun Mao from iDefense Labs, and two anonymous researchers.

This document was written by Jeff Gennari.

Other Information

Date Public	08/21/2007
Date First Published	08/23/2007 01:07:11 PM
Date Last Updated	09/10/2007
CERT Advisory
CVE Name	CVE-2007-4218
Metric	22.31
Document Revision	11

Original Source

Url : http://www.kb.cert.org/vuls/id/204448

CWE : Common Weakness Enumeration

%	Id	Name
33 %	CWE-189	Numeric Errors (CWE/SANS Top 25)
33 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer
33 %	CWE-20	Improper Input Validation

CPE : Common Platform Enumeration

Type	Description	Count
Application	Trend Micro Serverprotect cpe:2.3:a:trend_micro:serverprotect:5.58:build_1176_for_windows::::::	1

SAINT Exploits

Description	Link
Trend Micro ServerProtect RPCFN_CMON_SetSvcImpersonateUser buffer overflow	More info here
Trend Micro ServerProtect RPC NTF_SetPagerNotifyConfig buffer overflow	More info here
Trend Micro ServerProtect SpntSvc RPC buffer overflow	More info here

Open Source Vulnerability Database (OSVDB)

Id	Description
39754	Trend Micro ServerProtect for Windows (SpntSvc.exe) Notification.dll NTF_SetP...
39753	Trend Micro ServerProtect for Windows (SpntSvc.exe) Eng50.dll Multiple Functi...
39752	Trend Micro ServerProtect for Windows (SpntSvc.exe) Stcommon.dll Multiple Fun...
39751	Trend Micro ServerProtect for Windows (SpntSvc.exe) StRpcSrv.dll Multiple Fun...
39750	Trend Micro ServerProtect for Windows Agent Service RPCFN_CopyAUSrc Function ...

Information Assurance Vulnerability Management (IAVM)

Date	Description
2007-08-24	IAVM : 2007-T-0035 - Trend Micro ServerProtect Multiple Remote Code Execution Vulnerabilities Severity : Category I - VMSKEY : V0014876

Snort® IPS/IDS

Date	Description
2014-01-10	DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser object call attempt RuleID : 12352 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian object... RuleID : 12351 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser attempt RuleID : 12350 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _SetSvcImpersonateUser attempt RuleID : 12349 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetSvcImpersonateUser little endian attempt RuleID : 12348 - Revision : 5 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt RuleID : 12347 - Revision : 15 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 object call attempt RuleID : 12346 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 little endian object ca... RuleID : 12345 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 little endian attempt RuleID : 12344 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_a0030 attempt RuleID : 12343 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect Trent_req_num_a0030 attempt RuleID : 12342 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt RuleID : 12341 - Revision : 12 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian object ca... RuleID : 12340 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_30010 object call overflow at... RuleID : 12339 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect Trent_req_num_30010 little endian overfl... RuleID : 12338 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_30010 little endian overflow ... RuleID : 12337 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect Trent_req_num_30010 overflow attempt RuleID : 12336 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt RuleID : 12335 - Revision : 15 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _TakeActionOnAFile object call attempt RuleID : 12334 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian object cal... RuleID : 12333 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt RuleID : 12332 - Revision : 12 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile little endian attempt RuleID : 12331 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _TakeActionOnAFile little endian attempt RuleID : 12330 - Revision : 5 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _TakeActionOnAFile attempt RuleID : 12329 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem object call attempt RuleID : 12328 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian object ... RuleID : 12327 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt RuleID : 12326 - Revision : 15 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem little endian attempt RuleID : 12325 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _AddTaskExportLogItem little endian attempt RuleID : 12324 - Revision : 5 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _AddTaskExportLogItem attempt RuleID : 12323 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc little end... RuleID : 12322 - Revision : 7 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc object cal... RuleID : 12321 - Revision : 7 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP v4 trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt RuleID : 12320 - Revision : 7 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc little end... RuleID : 12319 - Revision : 7 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP v4 trend-serverprotect-earthagent RPCFN_CopyAUSrc little ... RuleID : 12318 - Revision : 7 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt RuleID : 12317 - Revision : 19 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian object ... RuleID : 12312 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig object call attempt RuleID : 12311 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig little endian attempt RuleID : 12310 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT trend-serverprotect _SetPagerNotifyConfig attempt RuleID : 12309 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC DIRECT v4 trend-serverprotect _SetPagerNotifyConfig attempt RuleID : 12308 - Revision : 6 - Type : NETBIOS
2014-01-10	DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt RuleID : 12307 - Revision : 15 - Type : NETBIOS

Nessus® Vulnerability Scanner

Date	Description
2007-08-22	Name : It is possible to execute code on the remote host through the AntiVirus Agent. File : trendmicro_serverprotect_multiple2.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	3
CPE ID(s)	1
Saint Exploit(s)	3
osvdb(s)	5
IAVM(s)	1
Snort® Rule(s)	42
Nessus® Exploit(s)	1

	Related
10	CVE-2007-4218
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)