[NT] Trend Micro OfficeScan Corporate Edition Configuration File Disclosure Vulnerability

From: support@securiteam.com
Date: 10/25/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Trend Micro OfficeScan Corporate Edition Configuration File Disclosure Vulnerability
Message-Id: <20011025122246.1D57F138BF@mail.der-keiler.de>
Date: Thu, 25 Oct 2001 14:22:46 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Trend Micro OfficeScan Corporate Edition Configuration File Disclosure
Vulnerability
------------------------------------------------------------------------

SUMMARY

A vulnerability was discovered in Trend Micro OfficeScan Corporate Edition
(Japanese version: Virus Buster Corporate Edition) that allows remote
attackers to access configuration files containing passwords.

DETAILS

Vulnerable systems:
Trend Micro OfficeScan Corporate Edition version 3.53
Trend Micro Virus Buster Corporate Edition version 3.53

Trend Micro OfficeScan Corporate Edition (Japanese version: Virus Buster
Corporate Edition) is an antivirus software for enterprise use. This
software provides real-time management, real-time configuration and
updates pattern files on client machines from management console.

When this software is installed, several virtual directories are created
in order to provide Web-based management console function. However,
attackers will be able to access one of these directories,
/officescan/hotdownload, without authentication. In addition, the file
stored in this directory, ofcscan.ini, is the configuration file used by
OfficeScan Corporate Edition.

If this vulnerability is exploited, an attacker will be able to gain
access to the configuration information from this file. Moreover, although
this file stores an encrypted password, it is possible to decrypt it
easily. For example, OfficeScan Corporate Edition has encrypted the
following character sequences, "12345":

701F702132

This string is generated by a specific algorithm and it is possible to
decrypt it easily. If an application uses a duplicated password, an
attacker will be able to cause further impacts on the system.

Solution:
A patch to fix this issue for Virus Buster Corporate Edition is available
at the following URL:
 
<http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3182>
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3182

ADDITIONAL INFORMATION

The information has been provided by <mailto:y.arai@lac.co.jp> ARAI Yuu
(LAC) .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages