[NT] Trend OfficeScan Corporate Antivirus Permissions Insecurity
From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/04
- Previous message: SecuriTeam: "[NT] Outlook 2003 File Upload And Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 May 2004 18:54:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Trend OfficeScan Corporate Antivirus Permissions Insecurity
------------------------------------------------------------------------
SUMMARY
" <http://www.antivirus.com/products/osce/> OfficeScan is a network based
anti-virus product from TrendMicro. NT workstations, Win 3.x or Win 9.x
can install this service over a LAN simply by accessing an ActiveX
installed on a web page that is accessed from a centralized manager. As
soon as the software is installed on a client, the client will regularly
send information about its file system, hardware, devices, etc through the
network to the antiviral manager."
The default OfficeScan installation allows unprivileged users the
permissions to manipulate the AV's configuration.
DETAILS
Vulnerable Systems:
* Trend OfficeScan Corporate Anti-Virus versions prior to 6.5
Immune Systems:
* Trend OfficeScan version 6.5
The default OfficeScan installation allows any user to stop the AV's
service thereby effectively leaving the system open to virus attacks. The
permissions to do this and other configuration options are kept in the
system's registry. For example, in order to stop the service, the
following key can be edited:
OfficeScan installation directory (c:\officescan client):
"Everyone:FullControl"
OfficeScan registry data:
(HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp)
"Everyone:FullControl".
A user or a virus can simply edit the registry key and completely bypass
the virus scanning mechanism. In addition, other important keys dictate
the scanning configuration, i.e.: directory exclusion and file extensions
to scan (or not to scan).
Vendor Status:
The vendor has been notified on 12th October 2003. A patch has been
developed which will tighten the security on the registry keys but will
stop certain functions from working properly (e.g. removes the ability for
the user to see which pattern file is installed, removes the ability to
run a manual scan on the PC). No patch has been supplied to tighten
security on the Trend installation directory. The registry patch is called
"OSCE_Hotfix_RegistryTool.zip" and is available by contacting your Trend
reseller.
Note: Beginning with version 6.5 the option to tighten security on the
registry keys is available but disabled by default. Therefore the default
policy is to give full permissions to everyone able to modify the
registry.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:matt_will_fix_it@hotmail.com> Matt.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Outlook 2003 File Upload And Execution Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
