Bugtraq mailing list archives
OfficeScan TrendMicro: admin for everybody !
From: gdn () NEUROCOM COM (Gregory Duchemin)
Date: Thu, 16 Mar 2000 14:30:59 +0100
hi, we have recently discussed about the numerous security holes present in officescan clients installed all over the lan, so now let's talk a bit about the server side security. The web based manager features are , in fact, a bunch of cgi that are requested by the LAN admin through a IIS web server. All of this cgi are stored in the ofcscan/Web/Cgi directory. Please verify first that everybody doesn't have the rights to modify these files otherwise you may go into big troubles ;) In a normal way of use, the admin, with his browser, asks for the url http://officescan-admin-server/officescan/ and then, he receives an html based authentication form requiring an admin password to go into the main menu. This looks quiet usual but NOT really !...look at this now 1- there is no encryption, the password is diffused in plain text format on the wire. Every LAN users may sniff this password and uses it like the admin does even in a switched environment ( with a little arp game ). There is a race condition, for switched networks between the authentication form request and the real submission of this form. Any average skilled user may be able to mount up a web server on his own workstation and spoof the mac adress of the actual officescan web server to catch the POST when the officescan admin is logging in. The http interresting field is: TMLogon=password 2- In fact, there is a much more serious problem in the web bases security architecture. A malicious user inside the corporate network doesn't have need of any admin password to remotely manage all the clients. Because there is no session concept in the web based officescan server, anybody is able to directly ask any cgi that are normally used only after authentication. One of this very important is called jdkRqNotify.exe, it takes two arguments: domain=your_domain and event=code, no id session, no security mecanism...just lame ! This is an example in a virtual NT domain named "T4rget" http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=12 event=12 means uninstallation of any remote workstation antivirus. ! After submission of this url, our hacker gets an html form asking him for a machine name to uninstall. This method is a bit simplier that other i described in my last posts. There are numerous event codes, these are few of them: 11: scan now 12: uninstall 14: rool back 15: New alert message 16: New Intranet Proxy 17: New priviledge 18: New protocol 19: New password 20: New client etc... Some of this event code need some previous actions to be completed. This is the case for New alert message that need a call to cgimsgalert.exe, used to modify the plain text message, before notify it to all clients. our malicious user can customize this message for everybody accordingly to his mood ;) 1- http://web-based-server/officescan/cgi/cgimsgalert.exe -----> html form with textarea for message 2- the hacker submit the form 3- http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=15 4- the hacker choose to notify every network clients and specially the ceo one 5- When infected, machines will display the personal hacker's message on the screen. Among other good things, the hacker will be able to change the proxy configuration to catch new files signatures, password onto the clients, priviledge for the clients etc... Solutions: One more time, stopping the TMListen.exe process may be the only correct temporary solution the time for TrendMicro to patch all this holes. They may use data encryption between clients, web based-server and admin workstation. But that 's not enough, they may use session id concept for cgi access too. regards, ============================== Gregory Duchemin Network and security engineer http://www.securite-internet.com NEUROCOM ==============================
Current thread:
- FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation DeAvillez, Carlos (Mar 14)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)
- Re: Malicious-HTML vulnerabilities at deja.com Geert Altena (Mar 17)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Andy Caus (Mar 16)
- Re: FW: [NTBUGTRAQ] AT Jobs - Denial of serice/Privilege Elevation Daniel Harter (Mar 17)
- OfficeScan TrendMicro: admin for everybody ! Gregory Duchemin (Mar 16)
- Analysis of the Shaft distributed denial of service tool Sven Dietrich (Mar 16)
- Re: Analysis of the Shaft distributed denial of service tool Max Vision (Mar 17)
- Malicious-HTML vulnerabilities at deja.com Niall Smart (Mar 15)