Re: TrendMicro OfficeScan tmlisten.exe DoS

[Heiko.Herold () PREVINET IT (Herold Heiko)]

Does happen here, too. Same situation (version), just a simple telnet
with random data (a few bytes) is enough to crash the service.
Tmlisten.exe does crash usually when the telnet connection is closed, not
when you send the data.
Did test with NTws machines only.
Heiko

-- PREVINET S.p.A.            Heiko.Herold () previnet it
-- Via Marocchesa, 14         ph  x39-041-5494228
-- I-31021 Mogliano V.to (TV) fax x39-041-5492263
-- ITALY

> -----Original Message-----
> From: Jeff Stevens [SMTP:JStevens () UMEME MAINE EDU]
> Sent: Friday, February 25, 2000 11:10 PM
> To:   BUGTRAQ () SECURITYFOCUS COM
> Subject:      TrendMicro OfficeScan tmlisten.exe DoS
>
> While playing around with nmap I managed to pull down a bunch of our NT
> workstations running OfficeScan.  This could potentially be used as a
> DoS
> attack to bring down any NT machine running OfficeScan.  I used the
> following command where machine.domain.com is a Windows NT machine
> running
> either SP 4 or 5 or a Win2k RC3 box.
>
> nmap -sT -O -p 12345 machine.domain.com
>
> One of three things can happen:
>
>       (1)     Nothing -- rare but it does happen.
>       (2)     The machine slows to a halt as tmlisten.exe pulls 100%
> CPU.
>       (3)     Visual C++ error as tmlisten.exe crashes.
>
> OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running on
> the
> target machine.  (all current)
>
> I can also make the process dump with a Visual C++ error if I send a
> bunch
> of data via telnet.
>
> Upon contacting Trend via phone, they said they were aware of a similar
> problem with earlier versions but version 3.5 has been fixed.  They are
> looking into it.
>
> Curious if anyone else can recreate this?  Or give me a set of
> addresses and
> I'll see if I can!  :^)
>
> Jeff Stevens
> Network Administrator
> Civil/Mechanical Engineering
> 5711 Boardman Hall, Room 17
> Orono, ME 04469
> (207) 581-2140