Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-132: Multiple Trend Micro Products RAR/ZIP Files Scan Evasion Vulnerability

May 12, 2009 17:00 GMT
PROBLEM: Multiple Trend Micro products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
PLATFORM: Trend Micro products listed in discussion below ServerProtect for Microsoft Windows/Novell NetWare ServerProtect for EMC Celerra ServerProtect for NetApp ServerProtect for Linux ServerProtect for Network Appliance Filers Internet Security Pro Internet Security OfficeScan Component Worry Free Business Security - Standard Worry Free Business Security - Advanced Worry Free Business Security Hosted Housecall InterScan Web Security Suite InterScan Web Protect for ISA InterScan Messaging Security Appliance Neatsuite Advanced ScanMail for Exchange ScanMail for Domino Suites
ABSTRACT: The parsing engine can be bypassed by a specially crafted and formated ZIP,RAR,CAB archive.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-132.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/34763/info
Trend Micro Homepage
http://www.trend.com/
SecDev - Thierry Zoller
http://blog.zoller.lu/2009/04/trendmicro-multiple-evasion-and-bypass.html
IMPACT ASSESSMENT: This risk is medium. Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect. 
Problem:
Multiple Trend Micro products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine. 

Platform:
Trend Micro Worry-Free Business Security 5.0
Trend Micro ServerProtect for Windows 5.58
Trend Micro ServerProtect for Windows 
Trend Micro ServerProtect for Novell Netware 
Trend Micro ServerProtect for Network Appliance Filer 5.62
Trend Micro ServerProtect for Network Appliance Filer 5.61
Trend Micro ServerProtect for Linux 1.2 
Trend Micro ServerProtect for Linux 
Trend Micro ServerProtect for EMC 5.58
Trend Micro ServerProtect 5.5.8 
Trend Micro ServerProtect 5.3.1 
Trend Micro ServerProtect 5.7
Trend Micro ServerProtect 5.58 (Security Patch
Trend Micro ServerProtect 5.58
Trend Micro Server Protect 5.58
Trend Micro ScanMail for Microsoft Exchange 6.1 
Trend Micro ScanMail for Microsoft Exchange 3.81 
Trend Micro ScanMail for Microsoft Exchange 3.8 
Trend Micro ScanMail for Microsoft Exchange 6.2
Trend Micro ScanMail for Domino 2.51 
Trend Micro ScanMail for Domino 2.6 
Trend Micro OfficeScan For Microsoft SBS 4.5 
- Microsoft Windows NT 4.0
Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.13 
- Microsoft Windows NT 4.0
Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.11 
- Microsoft Windows NT 4.0
Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.5 
Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.1.1 
Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.0 
Trend Micro OfficeScan Corporate Edition for SMB2.0 6.0
Trend Micro OfficeScan Corporate Edition 7.0 
Trend Micro OfficeScan Corporate Edition 6.5 
Trend Micro OfficeScan Corporate Edition 5.58 
Trend Micro OfficeScan Corporate Edition 5.5 
Trend Micro OfficeScan Corporate Edition 5.0 2
Trend Micro OfficeScan Corporate Edition 3.54 
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows 98SE 
- Microsoft Windows ME 
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Novell Netware 5.1 
- Novell Netware 5.0 
- Novell Netware 4.11 
- Novell Netware 4.1 
- Novell Netware 3.1.2 
Trend Micro OfficeScan Corporate Edition 3.13 
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan Corporate Edition 3.11 
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan Corporate Edition 3.5 
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan Corporate Edition 3.0 
Trend Micro OfficeScan Corporate Edition 8.0.patch build 1042
Trend Micro OfficeScan Corporate Edition 8.0 SP1 Patch 1
Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 Build 11
Trend Micro OfficeScan Corporate Edition 8.0
Trend Micro OfficeScan Corporate Edition 7.3 Build 1314
Trend Micro OfficeScan Corporate Edition 7.3
Trend Micro OfficeScan Corporate Edition 7.3
Trend Micro OfficeScan Corporate Edition 7.3
Trend Micro OfficeScan Corporate Edition 7.0
Trend Micro OfficeScan Corporate Edition 6.5
Trend Micro OfficeScan Corporate Edition 6.0
Trend Micro OfficeScan 8.0 Service Pack 1 P
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan 8.0 Service Pack 1
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan 8.0
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan 7.3
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 95 
- Microsoft Windows 98 
- Microsoft Windows NT 4.0
- Novell Netware 4.11 
- Novell Netware 4.1 
Trend Micro OfficeScan 7.0
Trend Micro Office Scan 7.3
Trend Micro InterScan WebSecuritySuite for Linux 1.0 ja
Trend Micro InterScan WebSecuritySuite for Linux 
Trend Micro InterScan WebSecuritySuite for Linux 
Trend Micro InterScan WebSecuritySuite for Linux 
Trend Micro InterScan WebProtect for ISA 
Trend Micro InterScan WebManager 2.1 
Trend Micro InterScan WebManager 2.0 
Trend Micro InterScan WebManager 1.2 
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional 
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT Server 4.0
Trend Micro InterScan WebManager 1.2 
Trend Micro InterScan Web Security Virtual Appliance 3.1
Trend Micro InterScan Web Security Suite for Windows 3.1
Trend Micro InterScan Web Security Suite for Windows 
Trend Micro InterScan Web Security Suite for Solaris 
Trend Micro InterScan Web Security Suite for Linux 3.1
Trend Micro InterScan Web Security Suite for Linux 
Trend Micro InterScan Web Security Suite 2.5
Trend Micro InterScan VirusWall Scan Engine 7.510 -1002
Trend Micro InterScan VirusWall for Windows NT 5.1 
Trend Micro InterScan VirusWall for Windows NT 3.52 build 1466
Trend Micro InterScan VirusWall for Windows NT 3.52 
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 alpha
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
Trend Micro InterScan VirusWall for Windows NT 3.51 
- Microsoft Windows NT 3.5.1 SP5
- Microsoft Windows NT 3.5.1 SP4
- Microsoft Windows NT 3.5.1 SP3
- Microsoft Windows NT 3.5.1 SP2
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.5.1 
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 3.5
Trend Micro InterScan VirusWall for Windows NT 3.6 
Trend Micro InterScan VirusWall for Windows NT 3.5 
- Microsoft Windows NT 3.5.1 SP5
- Microsoft Windows NT 3.5.1 SP4
- Microsoft Windows NT 3.5.1 SP3
- Microsoft Windows NT 3.5.1 SP2
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.5
Trend Micro InterScan VirusWall for Windows NT 3.4 
- Microsoft Windows NT 4.0
Trend Micro InterScan VirusWall for Windows 
Trend Micro InterScan VirusWall for Unix 3.6 x
Trend Micro InterScan VirusWall for Unix 3.0.1 
Trend Micro InterScan VirusWall for SMB Windows NT
Trend Micro InterScan VirusWall for SMB Linux
Trend Micro InterScan VirusWall for SMB 
Trend Micro InterScan VirusWall for AIX 
Trend Micro Interscan Viruswall (Solaris) 3.6 
Trend Micro Interscan Viruswall (Linux) 3.6 
Trend Micro Interscan Viruswall (Linux) 3.1 
Trend Micro Interscan Viruswall (Linux) 3.0.1 
Trend Micro Interscan Viruswall (Linux) 3.81
Trend Micro Interscan Viruswall (HP-UX) 3.6 
Trend Micro InterScan VirusWall 3.52 
Trend Micro InterScan VirusWall 3.32 
- Microsoft Windows NT 4.0
Trend Micro InterScan VirusWall 3.8 Build 1130
Trend Micro InterScan VirusWall 3.7 Build 1190
Trend Micro InterScan VirusWall 3.7 
Trend Micro InterScan VirusWall 3.6 Build 1182
Trend Micro InterScan VirusWall 3.6 Build 1166
Trend Micro InterScan VirusWall 3.6 
Trend Micro InterScan VirusWall 3.3 
- Microsoft Windows NT 4.0
Trend Micro InterScan VirusWall 3.2.3 
- Microsoft Windows NT 4.0
Trend Micro InterScan VirusWall 3.0.1 
Trend Micro InterScan Messaging Security Suite for Windows 
Trend Micro InterScan Messaging Security Suite for Solaris 
Trend Micro InterScan Messaging Security Suite for Linux 5.1.1 
Trend Micro InterScan Messaging Security Suite for Linux 
Trend Micro InterScan Messaging Security Suite 5.5 .1183
Trend Micro InterScan Messaging Security Suite 5.5 
Trend Micro InterScan Messaging Security Suite 3.81 
Trend Micro InterScan eManager 3.51 j
- Trend Micro InterScan VirusWall 3.32 
- Trend Micro InterScan VirusWall 3.3 
- Trend Micro InterScan VirusWall 3.2.3 
- Trend Micro InterScan VirusWall 3.0.1 
- Trend Micro InterScan VirusWall for Windows NT 3.51 
- Trend Micro InterScan VirusWall for Windows NT 3.5 
- Trend Micro InterScan VirusWall for Windows NT 3.4 
Trend Micro InterScan eManager 3.51 
- Trend Micro InterScan VirusWall 3.32 
- Trend Micro InterScan VirusWall 3.3 
- Trend Micro InterScan VirusWall 3.2.3 
- Trend Micro InterScan VirusWall 3.0.1 
- Trend Micro InterScan VirusWall for Windows NT 3.51 
- Trend Micro InterScan VirusWall for Windows NT 3.5 
- Trend Micro InterScan VirusWall for Windows NT 3.4 
Trend Micro InterScan eManager 3.6 For Sun
- Sun Solaris 2.6_sparc
Trend Micro InterScan eManager 3.6 For Linux
Trend Micro InterScan eManager 3.5.2 For Windows
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server 
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server 
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional 
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server 
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
Trend Micro InterScan eManager 3.5 For HP
Trend Micro Internet Security Suite 2007 0
Trend Micro Internet Security Pro 2009
Trend Micro Internet Security Pro 2008
Trend Micro Internet Security 2009
Trend Micro Internet Security 2008
Trend Micro HouseCall 6.51 1028
Trend Micro HouseCall 6.6 1285
Trend Micro HouseCall 6.6 1278
Trend Micro HouseCall 5.7 
Trend Micro HouseCall 5.5

Abstract:
The parsing engine can be bypassed by a specially crafted and formated ZIP,RAR,CAB archive.

References:
Security Focus
http://www.securityfocus.com/bid/34763/info
Trend Micro homepage
http://www.trend.com/
SecDev - Thierry Zoller
http://blog.zoller.lu/2009/04/trendmicro-multiple-evasion-and-bypass.html
DOE-CIRC wishes to acknowledge the contributions of Thierry Zoller for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788