Full Disclosure mailing list archives
Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability
From: "Elazar Broad" <elazar () hushmail com>
Date: Tue, 29 Jul 2008 11:09:50 -0400
On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad <elazar () hushmail com> wrote:
Who: Trend Micro http://www.trendmicro.com What: OfficeScan 7.3 build 1343(Patch 4) and older http://www.trendmicro.com/download/product.asp?productid=5 How: OfficeScan's Web Console utilizes several ActiveX controls when deploying the product through the web interface. One of these controls, objRemoveCtrl, is vulnerable to a stack-based buffer overflow when embedded in a webpage. The one caveat to this issue is that the control must be embedded in such a way that it CAN be visible, i.e. obj = new ActiveXObject() will not work. The issue lies in the code that is used to display certain properties and their values on the control when it is embedded in a page. OfficeScanRemoveCtrl.dll, version 7.3.0.1020 {5EFE8CB1-D095-11D1-88FC-0080C859833B} Commonly located: systemdrive\Windows\Downloaded Program Files CAB location on server: officescan install path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab The following properties are vulnerable: HttpBased LatestPatternServer LatestPatternURL LocalServerPort MasterDirectory MoreFiles PatternFilename ProxyLogin ProxyPassword ProxyPort ProxyServer RegistryINIFilename Server ServerIniFile ServerPort ServerSubDir ServiceDisplayName ServiceFilename ServiceName ShellExtensionFilename ShortcutFileList ShortcutNameList UninstallPassword UnloadPassword UseProxy Workaround: Set the killbit for the affected control. See http://support.microsoft.com/KB/240797 Fix: As stated below, reportedly there are patches for this issue, however, I have been able to exploit this issue in a test environment running OfficeScan 7.3 patch 4(latest available patch). Timeline: 06/27/2008 -> Vulnerability discovered and reported to iDefense 07/02/2008 <- Request for further information 07/16/2008 <- iDefense states that patches exist which resolve this issue 07/16/2008 -> Request clarification regarding which patches resolve this issue. No response 07/20/2008 -> Follow up regarding patches. No response 07/28/2008 - Disclosure
Another possible fix for this is to copy the RemoveCtrl.cab from 8.0(you can download it from here http://www.trendmicro.com/download/product.asp?productid=5, as stated above, 8.x is not vulnerable since the control uses *_s functions as opposed to the standard C functions). The 8.0 critical patch B1242 has a copy of this CAB so you don't need to download the entire 8.0 package, and replace the one located in the ClientInstall folder on the OfficeScan server. I have not tested to see if this breaks web deployment or not. -- Get great prices on a huge selection of brand name silk ties. Click now! http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability Elazar Broad (Jul 29)