[DCA-2011-0004]


[Discussion]
- DcLabs Security Research Group advises about following vulnerability(ies):


[Software]
- Trend WebReputation API

[Vendor Product Description]
- Secure any endpoint – physical or virtual – with the industry’s strongest,
most reliable protection, while reducing the impact on your endpoint resources.
Harness the power of the cloud with to-the-second protection from the
Trend Micro Smart Protection Network.
Ground-breaking new virtualization awareness delivers the latest
endpoint solutions along with
peace of mind and innovative resource-saving technology to help you
defend against zero day threats with optional virtual patching.
- Source:http://us.trendmicro.com/us/products/enterprise/officescan/index.html


[Advisory Timeline]
- Advisory sent to vendor: 15/Feb/2011
- Vendor said there is no failure 15/Feb/2011
- Advisory sent again with demo video: 16/Feb/2011
- Vendor confirmed the bug 16/Feb/2011
- Vendor fixed the bug 17/Feb/2011
- Advisory coordinated to be published 18/Feb/2011
- Published 14/Mar/2011



 [Bug Summary]
 - Download content-filter circumvent

 [Impact]
 - Medium

 [Affected Version]
 - 10.5
 - Prior versions can also be affected but wasn't tested.

 [Bug Description and Proof of Concept]
 - Web Reputation download filter can be easily circumvented by adding
 a @ or a'question mark' (?) at the end of URL.

 POC:
 URL Blocked

 The URL that you are attempting to access is a potential security
 risk. Trend Micro OfficeScan has blocked this URL
 in keeping with network security policy.

 URL:    http://nmap.org/dist/nmap-5.51-setup.exe
 Risk Level:      Dangerous
 Details:        Verified fraud page or threat source


 Just  put ? in end:
 http://nmap.org/dist/nmap-5.51-setup.exe?

 Download successful

 Second POC:
 Demo Video: http://www.youtube.com/watch?v=J2Nd3wNWXPU

 All flaws described here were discovered and researched by:
 Ewerson Guimaraes (Crash)
 DcLabs Security Research Group
 crash <AT> dclabs <DOT> com <DOT> br

 [Workarounds]
 -

 [Credits]
 DcLabs Security Research Group.

-- 
Ewerson Guimaraes (Crash)
Pentester/Researcher
DcLabs Security Team
www.dclabs.com.br