|
|
| |
| OfficeScan is "an anti-virus client and server developed by Trend Micro". The server is mainly a set of CGIs, ActiveX and web pages which run on a pre-existent web server or on the included Apache installation. A vulnerability in Trend Micro's OfficeScan allows remote attackers to overflow an internal buffer used by the product causing it to crash and possible execute arbitrary code. |
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/officescaz-adv.txt
|
| |
Vulnerable Systems:
* Trend Micro OfficeScan Corporate Edition version 8.0 Patch 2 - build 1189
* Trend Micro OfficeScan Corporate Edition version 7.3 Patch 3 - build 1314
Buffer overflow in the decryption function of the passwords
The first time Luigi saw the so called OfficeScan's passwords was almost two years ago and in short they are just MD5 hashes of the original password plus an additional encryption, but I was never interested to go deeper in the matter and Luigi doesn't know if something has been changed from that time.
Luigi wrote something incomplete about them a lot of time ago in case someone is curious or want to add something: http://aluigi.org/pwdrec/officescan_pwdmd5.txt
The function for decrypting these data is ever the same one used in "any" program that needs to handle this type of passwords, so the CGIs which read the password of the admin/user who wants to log in the web management (for example cgiChkMasterPwd.exe), the PolicyServer (policyserver.exe which receives the client's password from the cgiABLogon.exe CGI) and naturally the same server and all the clients.
In short the function verifies that the input password starts with the !CRYPT! string and then copies the subsequent data in a stack buffer of 512 bytes without verifying its correct length with the obvious result of a buffer-overflow.
Not all the versions of OfficeScan can be exploited for executing malicious code (7.3 is fully exploitable) because on some of them (like the latest 8.0) the exception handler terminates the process if notices a stack corruption and so in these cases the only effect can be a Denial of Service (like what happens with the PolicyServer where current and new users can no longer use the service, in fact although exists the auto-restarting function it will not work until the dead process is not killed or the error message acknowledged) or just a dead process which will not affect the correct usage of the services.
Endless dead processes
The following vulnerability is reported here only for thoroughness and is very simple: a couple of NULL pointer vulnerabilities in the CGI executables used by the server can be exploited to create endless dead processes on the server causing a possible Denial of Service after many of them.
These NULL pointers are caused by two factors: the lack of the Content-Length field in the HTTP request and the usage of invalid sequences of chars in the CGIs parameters (both of them have been tested on the included Apache server).
Exploits:
A list of triggering packets can be downloaded from: http://aluigi.org/poc/officescaz.zip
nc SERVER 8080 -v -v < officescaz1.txt
nc SERVER 8080 -v -v < officescaz2.txt
nc SERVER 8080 -v -v < officescaz3.txt
nc SERVER 8080 -v -v < officescaz4.txt
|
|
|
|
|
