Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability

["Elazar Broad" <elazar () hushmail com>]

On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad 
<elazar () hushmail com> wrote:
> Who:
> Trend Micro
> http://www.trendmicro.com
>
> What:
> OfficeScan 7.3 build 1343(Patch 4) and older
> http://www.trendmicro.com/download/product.asp?productid=5
>
> How:
> OfficeScan's Web Console utilizes several ActiveX controls when
> deploying the product through the web interface. One of these
> controls, objRemoveCtrl, is vulnerable to a stack-based buffer
> overflow when embedded in a webpage. The one caveat to this issue
> is that the control must be embedded in such a way that it CAN be
> visible, i.e. obj = new ActiveXObject() will not work. The issue
> lies in the code that is used to display certain properties and
> their values on the control when it is embedded in a page.
>
> OfficeScanRemoveCtrl.dll, version 7.3.0.1020
> {5EFE8CB1-D095-11D1-88FC-0080C859833B}
> Commonly located: systemdrive\Windows\Downloaded Program Files
> CAB location on server: officescan install
> path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab
>
>
> The following properties are vulnerable:
>
> HttpBased
> LatestPatternServer
> LatestPatternURL
> LocalServerPort
> MasterDirectory
> MoreFiles
> PatternFilename
> ProxyLogin
> ProxyPassword
> ProxyPort
> ProxyServer
> RegistryINIFilename
> Server
> ServerIniFile
> ServerPort
> ServerSubDir
> ServiceDisplayName
> ServiceFilename
> ServiceName
> ShellExtensionFilename
> ShortcutFileList
> ShortcutNameList
> UninstallPassword
> UnloadPassword
> UseProxy
>
> Workaround:
> Set the killbit for the affected control. See
> http://support.microsoft.com/KB/240797
>
> Fix:
> As stated below, reportedly there are patches for this issue,
> however, I have been able to exploit this issue in a test
> environment running OfficeScan 7.3 patch 4(latest available 
> patch).
>
> Timeline:
> 06/27/2008 -> Vulnerability discovered and reported to iDefense
> 07/02/2008 <- Request for further information
> 07/16/2008 <- iDefense states that patches exist which resolve 
> this
> issue
> 07/16/2008 -> Request clarification regarding which patches 
> resolve
> this issue. No response
> 07/20/2008 -> Follow up regarding patches. No response
> 07/28/2008 - Disclosure

Another possible fix for this is to copy the RemoveCtrl.cab from 
8.0(you can download it from here 
http://www.trendmicro.com/download/product.asp?productid=5, as 
stated above, 8.x is not vulnerable since the control uses *_s 
functions as opposed to the standard C functions). The 8.0 critical 
patch B1242 has a copy of this CAB so you don't need to download 
the entire 8.0 package, and replace the one located in the 
ClientInstall folder on the OfficeScan server. I have not tested to 
see if this breaks web deployment or not.  

--
Get great prices on a huge selection of brand name silk ties. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/