Just to keep everyone updated, Trend has examined the exploit and is currently in the process of testing an official patch for this problem. This should be available within a few hours at most. Thank you, Bob Li Product Manager Trend Micro, Inc. E-Mail: [EMAIL PROTECTED] Phone: 408-863-6341 -----Original Message----- From: dark spyrit [mailto:[EMAIL PROTECTED]] Sent: Sunday, November 07, 1999 4:52 AM To: [EMAIL PROTECTED] Subject: Interscan VirusWall NT 3.23/3.3 buffer overflow. A buffer overflow exists on the VirusWall smtp gateway - by sending a long HELO command you can overflow the buffer and execute arbitrary code. Example code has been written which will spawn a command prompt on a port you specify. Before you shrug this one off, take a look: Connected to mail1.microsoft.com. Escape character is '^]'. 220 mail1.microsoft.com InterScan VirusWall NT ESMTP 3.23 (build 9/10/99) ready at Sun, 07 Nov 1999 03:38:44 -0800 (Pacific Standard Time) The ironic thing here is, VirusWall was designed to prevent viruses and 'malicious code'. Obviously not a lot of thought was taken before laying their trust into 3rd party 'security' products. A quick note to the millions out there who would give their right arm to compromise microsofts network - sorry, their firewall would prevent the payload from spawning a remote shell.. unless of course it was modified to stop an existing service to open a port :) Exploit source and binary is available at http://www.beavuh.org. Credit to Liraz Siri for bringing this to our attention. Hi to eEye/w00w00/teso. dark spyrit http://www.beavuh.org - bend over and pray.
