Home page logo
/

bugtraq logo Bugtraq mailing list archives

VirusWall HTTP proxy content scanning circumvention
From: Boris Wesslowski <bw () inside-security de>
Date: Mon, 11 Mar 2002 13:25:19 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FOR PUBLIC RELEASE

- ------------------------------------------------------------------------
Inside Security GmbH Vulnerability Notification
Revision 0.3  2002-03-10
- ------------------------------------------------------------------------

The latest version of this document is available at
http://www.inside-security.de/vwall_cl0.html

A demo server and proof of concept code are available at
http://www.inside-security.de/vwall_cl0_poc.html

- -------------------------------------------------------------------------
Trend Micro InterScan VirusWall HTTP proxy content scanning circumvention
- -------------------------------------------------------------------------

Summary:
  Trend Micro InterScan VirusWall contains a HTTP proxy that prevents users
  from downloading virus-infected content by scanning the data received
  from a web server before passing it to the client. However, the default
  configuration of the HTTP proxy will cause it to skip content scanning if
  a malicious web server provides a modified HTTP header, thereby letting
  virus-infected content pass.

Impact:
  Users behind the VirusWall can unintentionally download virus-infected
  content from a malicious web server without being protected by the
  VirusWall.

Affected systems:
  Trend Micro InterScan VirusWall 3.6

Releases tested:
  Trend Micro InterScan VirusWall 3.6 for Red Hat Linux 6.2

Vendor status:
  The vendor was informed 2002/02/25 and replied that a major change in
  the software would be needed to fix this issue and agreed with our
  suggested workaround below adding the server timeout comment.

Detailed description:
  The Trend Micro InterScan VirusWall HTTP proxy contains a configuration
  option called "Skip scanning if Content-length equals 0". This option
  is enabled by default and only mentioned but not explained in the
  administrator's guide. It may be useful to prevent scanning of "empty"
  web pages. If this option is enabled and the proxy receives a document
  from a web server with real content, but which is preceded by a HTTP
  header with content-length field set to 0, it will pass the document
  to the client without scanning it. Of course, the web server must have
  been modified to return a zero content length field when serving a
  virus-infected document. This could e.g. have been done by a malicious
  webmaster or an intruder with the intent to trick users into downloading
  virus-infected content from his/her site. Unfortunately many web
  browsers e.g. Netscape 4.7, Netscape 6 and MSIE 6 will ignore the zero
  content-length field in the HTTP header and still download the document.

Proof of concept:
  A modified server to demonstrate the vulnerability and proof of concept
  source code are available at

  http://www.inside-security.de/vwall_cl0_poc.html

  The tests are done with the EICAR anti-virus test file, for more
  information about the anti-virus test file visit the European Institute
  for Computer Anti-Virus Research (EICAR) at http://www.eicar.org/

Suggested workaround:
  Disable the "Skip scanning if Content-length equals 0" option in the
  HTTP proxy configuration using the VirusWall web administration
  interface. When disabled certain sites may display slowly, in this
  case the "server timeout" value on the advanced configuration page
  should be configured to a smaller value.

Credits:
  This vulnerability was found and documented by Jochen Thomas Bauer
  <jtb () inside-security de> and Boris Wesslowski <bw () inside-security de> of
  Inside Security GmbH, Stuttgart, Germany.

- ------------------------------------------------------------------------
(C) 2002 Inside Security GmbH
This notice may be redistributed freely provided that redistributed copies
are complete and unmodified, and include all date and version information.

ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY
DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY
THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE
INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE
SECURITY GMBH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of
applicable law, void, or unenforceable in any jurisdiction, then
such provisions are waived to the extent necessary for this disclaimer
to be otherwise enforceable in such jurisdiction.
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE8jKGpjZjTvnUSw/YRAoeYAJ9Xn8chqRdXGs1cWoFrhw0qCrbGTwCdFn7d
CN6rvogObY5ug4/PowuS1pQ=
=RGX9
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • VirusWall HTTP proxy content scanning circumvention Boris Wesslowski (Mar 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]