TAIWAN
2004-03-26, 11:41 PM
趨勢科技TRENDMICRO Interscan 遠端目錄權限逾越漏洞
Interscan Web Viruswall, a part of Interscan Viruswall package, is a web proxy/gateway service that has a responsibility to scan virus "on-the-fly" before it reach the user browser. In Interscan Web Viruswall, there is a builtin mechanism that allows anybody to read files at the /ishttp/localweb directory by using such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs point to different directories (except sub-directories of "localweb") won't trigger the mechanism and will be forwarded to the proxy which the service is set up to. The reason there such a "feature" is because Interscan Web Viruswall has another feature (not turned on by default) called TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip) to allow user to see the scanning process. Unfortunately, that built-in mini webserver has a directory traversal problem. By using such an URL like this, an evil genius ;-) can access to files outside the localweb directory:
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
will download the service executable file or test
http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat
will download the autoexec.bat file in the root directory.
root :eek: :eek: :D :D
贊助商連結
Interscan Web Viruswall, a part of Interscan Viruswall package, is a web proxy/gateway service that has a responsibility to scan virus "on-the-fly" before it reach the user browser. In Interscan Web Viruswall, there is a builtin mechanism that allows anybody to read files at the /ishttp/localweb directory by using such an URL: http://victimIP:8080/ishttpd/localweb/filename. Other URLs point to different directories (except sub-directories of "localweb") won't trigger the mechanism and will be forwarded to the proxy which the service is set up to. The reason there such a "feature" is because Interscan Web Viruswall has another feature (not turned on by default) called TeleWindow which uses an applet (/ishttpd/localweb/java/telewind.zip) to allow user to see the scanning process. Unfortunately, that built-in mini webserver has a directory traversal problem. By using such an URL like this, an evil genius ;-) can access to files outside the localweb directory:
http://victimIP:8080/ishttpd/localweb/java/?/../../../ishttpd.exe
will download the service executable file or test
http://24.128.159.50:8080/ishttpd/localweb/java/?/../../../../../../../../autoexec.bat
will download the autoexec.bat file in the root directory.
root :eek: :eek: :D :D
贊助商連結