OfficeScan TrendMicro: admin for everybody !

[gdn () NEUROCOM COM (Gregory Duchemin)]

hi,

we have recently discussed about the numerous security holes present in
officescan clients installed all over the lan, so now let's talk a bit
about the
server side security.

The web based manager features are , in fact, a bunch of cgi that are
requested by the LAN admin through a IIS web server.
All of this cgi are stored in the ofcscan/Web/Cgi directory.
Please verify first that everybody doesn't have the rights to modify
these files otherwise you may go into big troubles ;)

In a normal way of use, the admin, with his browser, asks for the url
http://officescan-admin-server/officescan/ and then, he receives an html
based authentication form requiring an admin password to go into the
main menu.
This looks quiet usual but NOT really !...look at this now

1- there is no encryption, the password is diffused in plain text format
on the wire.

Every LAN users may sniff this password and uses it like the admin does
even in a switched environment ( with a little arp game ).
There is a race condition, for switched networks between the
authentication form request and the real submission of this form.
Any average skilled user may be able to mount up a web server on his own
workstation and spoof the mac adress of the actual officescan web server

to catch the POST when the officescan admin is logging in.
The http interresting field is: TMLogon=password

2- In fact, there is a much more serious problem in the web bases
security architecture.

A malicious user inside the corporate network doesn't have need of  any
admin password to remotely manage all the clients.
Because there is no session concept in the web based officescan server,
anybody is able to directly ask any cgi that are normally used only
after authentication.
One of this very important is called jdkRqNotify.exe, it takes two
arguments: domain=your_domain and event=code, no id session, no security
mecanism...just lame !
This is an example in a virtual NT domain named "T4rget"

http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=12

event=12 means uninstallation of any remote workstation antivirus. !
After submission of this url, our hacker gets an html form asking him
for a machine name to uninstall.
This method is a bit simplier that other i described in my last posts.

There are numerous event codes, these are few of them:

11: scan now
12: uninstall
14: rool back
15: New alert message
16: New Intranet Proxy
17: New priviledge
18: New protocol
19: New password
20: New client

etc...

Some of this event code need some previous actions to be completed.
This is the case for New alert message that need a call to
cgimsgalert.exe, used to modify the plain text message, before notify it
to all clients.
our malicious user can customize this message for everybody accordingly
to his mood ;)

1- http://web-based-server/officescan/cgi/cgimsgalert.exe  -----> html
form with textarea for message
2- the hacker submit the form
3-
http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=15

4- the hacker choose to notify every network clients and specially the
ceo one
5- When infected, machines will  display the personal hacker's message
on the screen.

Among other good things, the hacker will be able to change the proxy
configuration to catch new files signatures, password onto the clients,
priviledge for the clients etc...

Solutions:

One more time, stopping the TMListen.exe process may be the only correct
temporary solution the time for TrendMicro to patch all this holes.
They may use data encryption between clients, web based-server and admin
workstation. But that 's not enough, they may use session id concept for
cgi access too.

regards,

==============================
Gregory Duchemin

Network and security engineer
http://www.securite-internet.com

NEUROCOM
==============================