Bugtraq mailing list archives

TrendMicro OfficeScan tmlisten.exe DoS

From: JStevens () UMEME MAINE EDU (Jeff Stevens)
Date: Fri, 25 Feb 2000 17:10:17 -0500


While playing around with nmap I managed to pull down a bunch of our NT
workstations running OfficeScan.  This could potentially be used as a DoS
attack to bring down any NT machine running OfficeScan.  I used the
following command where machine.domain.com is a Windows NT machine running
either SP 4 or 5 or a Win2k RC3 box.

nmap -sT -O -p 12345 machine.domain.com

One of three things can happen:

        (1)     Nothing -- rare but it does happen.
        (2)     The machine slows to a halt as tmlisten.exe pulls 100% CPU.
        (3)     Visual C++ error as tmlisten.exe crashes.

OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running on the
target machine.  (all current)

I can also make the process dump with a Visual C++ error if I send a bunch
of data via telnet.

Upon contacting Trend via phone, they said they were aware of a similar
problem with earlier versions but version 3.5 has been fixed.  They are
looking into it.

Curious if anyone else can recreate this?  Or give me a set of addresses and
I'll see if I can!  :^)

Jeff Stevens
Network Administrator
Civil/Mechanical Engineering
5711 Boardman Hall, Room 17
Orono, ME 04469
(207) 581-2140

Current thread:

Re: Zonealarm exports sensitive data, (continued)
- - - Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
    - Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
  - Re: Wordpad vulnerability, exploitable also in IE for Win9x Curtis Anderson, CNE, MCSE (Feb 25)
  - Troj_Trinoo and ZZ Simple Nomad (Feb 25)
    - man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)
    - DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
    - TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
    - Re: Troj_Trinoo and ZZ Simple Nomad (Feb 26)
- Pragma Systems response to USSRLabs report Ussr Labs (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Pauli Ojanpera (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Charles Skoglund (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Sanford Whiteman (Feb 24)