[NT] Trend Micro OfficeScan Corporate Edition Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Trend Micro OfficeScan Corporate Edition Buffer Overflow
------------------------------------------------------------------------


SUMMARY


<http://us.trendmicro.com/us/products/enterprise/officescan-client-server-edition/> OfficeScan is "an anti-virus client and server developed by Trend Micro". The server is mainly a set of CGIs, ActiveX and web pages which run on a pre-existent web server or on the included Apache installation. A vulnerability in Trend Micro's OfficeScan allows remote attackers to overflow an internal buffer used by the product causing it to crash and possible execute arbitrary code.

DETAILS

Vulnerable Systems:
* Trend Micro OfficeScan Corporate Edition version 8.0 Patch 2 - build
1189
* Trend Micro OfficeScan Corporate Edition version 7.3 Patch 3 - build
1314

Buffer overflow in the decryption function of the passwords
The first time Luigi saw the so called OfficeScan's passwords was almost
two years ago and in short they are just MD5 hashes of the original
password plus an additional encryption, but I was never interested to go
deeper in the matter and Luigi doesn't know if something has been changed
from that time.

Luigi wrote something incomplete about them a lot of time ago in case
someone is curious or want to add something:
<http://aluigi.org/pwdrec/officescan_pwdmd5.txt>
http://aluigi.org/pwdrec/officescan_pwdmd5.txt

The function for decrypting these data is ever the same one used in "any"
program that needs to handle this type of passwords, so the CGIs which
read the password of the admin/user who wants to log in the web management
(for example cgiChkMasterPwd.exe), the PolicyServer (policyserver.exe
which receives the client's password from the cgiABLogon.exe CGI) and
naturally the same server and all the clients.

In short the function verifies that the input password starts with the
!CRYPT! string and then copies the subsequent data in a stack buffer of
512 bytes without verifying its correct length with the obvious result of
a buffer-overflow.

Not all the versions of OfficeScan can be exploited for executing
malicious code (7.3 is fully exploitable) because on some of them (like
the latest 8.0) the exception handler terminates the process if notices a
stack corruption and so in these cases the only effect can be a Denial of
Service (like what happens with the PolicyServer where current and new
users can no longer use the service, in fact although exists the
auto-restarting function it will not work until the dead process is not
killed or the error message acknowledged) or just a dead process which
will not affect the correct usage of the services.

Endless dead processes
The following vulnerability is reported here only for thoroughness and is
very simple: a couple of NULL pointer vulnerabilities in the CGI
executables used by the server can be exploited to create endless dead
processes on the server causing a possible Denial of Service after many of
them.

These NULL pointers are caused by two factors: the lack of the
Content-Length field in the HTTP request and the usage of invalid
sequences of chars in the CGIs parameters (both of them have been tested
on the included Apache server).

Exploits:
A list of triggering packets can be downloaded from:
<http://aluigi.org/poc/officescaz.zip>
http://aluigi.org/poc/officescaz.zip
nc SERVER 8080 -v -v < officescaz1.txt
nc SERVER 8080 -v -v < officescaz2.txt
nc SERVER 8080 -v -v < officescaz3.txt
nc SERVER 8080 -v -v < officescaz4.txt


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/officescaz-adv.txt>
http://aluigi.altervista.org/adv/officescaz-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
    (Securiteam)
  • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
    (Securiteam)
  • [NEWS] ColdFusion MX Oversize Error Message DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution for building and deploying powerful web ... shoots up and stays there until the server completes writing the error ... a long string of data as a GET or POST request to ...
    (Securiteam)
  • [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet ... the Content Scanner Server. ... The vendor has been contacted and confirmed the existence of the problem ...
    (Securiteam)
  • [NT] RogerWilco Security Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The UDP port is used for the audio channel. ... (forwarded by the server) ... The last piece of the packet is the audio data block. ...
    (Securiteam)