Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Buffer-overflow in the passwords handling of Trend Mic

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Buffer-overflow in the passwords handling of Trend Micro OfficeScan 8.0 and possibly other products
Date: Wed, 27 Feb 2008 20:30:19 +0100 

#######################################################################

                             Luigi Auriemma

Application:  Trend Micro OfficeScan Corporate Edition
              
http://us.trendmicro.com/us/products/enterprise/officescan-client-server-edition/
              other Trend Micro products could be affected by this
              vulnerability since it's located in a function used to
              decrypt a specific type of passwords used by this vendor
Versions:     <= v8.0 Patch 2 - build 1189
              <= v7.3 Patch 3 - build 1314
Platforms:    Windows
Bugs:         A] buffer-overflow in the decryption function of the
                 passwords
              B] endless dead processes
Exploitation: remote
              (no tests have been performed to check for a possible
              local exploiting of the vulnerability on the clients
              machines for killing the antivirus or the monitor
              processes or escalating privileges)
Date:         27 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


OfficeScan is an anti-virus client and server developed by Trend Micro.
The server is mainly a set of CGIs, ActiveX and web pages which run on
a pre-existent web server or on the included Apache installation.

As already written in the header of this advisory the vulnerability
could affect other products too.


#######################################################################

=======
2) Bugs
=======

--------------------------------------------------------------
A] buffer-overflow in the decryption function of the passwords
--------------------------------------------------------------

The first time I saw the so called OfficeScan's passwords was almost
two years ago and in short they are just MD5 hashes of the original
password plus an additional encryption, but I was never interested to
go deeper in the matter and I don't know if something has been changed
from that time.
I wrote something incomplete about them a lot of time ago in case
someone is curious or want to add something:
http://aluigi.org/pwdrec/officescan_pwdmd5.txt

The function for decrypting these data is ever the same one used in
"any" program that needs to handle this type of passwords, so the CGIs
which read the password of the admin/user who wants to log in the web
management (for example cgiChkMasterPwd.exe), the PolicyServer
(policyserver.exe which receives the client's password from the
cgiABLogon.exe CGI) and naturally the same server and all the clients.

In short the function verifies that the input password starts with the
!CRYPT! string and then copies the subsequent data in a stack buffer of
512 bytes without verifying its correct length with the obvious result
of a buffer-overflow.

Not all the versions of OfficeScan can be exploited for executing
malicious code (7.3 is fully exploitable) because on some of them (like
the latest 8.0) the exception handler terminates the process if notices
a stack corruption and so in these cases the only effect can be a
Denial of Service (like what happens with the PolicyServer where current
and new users can no longer use the service, in fact although exists the
auto-restarting function it will not work until the dead process is not
killed or the error message acknowledged) or just a dead process which
will not affect the correct usage of the services.


-------------------------
B] endless dead processes
-------------------------

The following vulnerability is reported here only for thoroughness and
is very simple: a couple of NULL pointer vulnerabilities in the CGI
executables used by the server can be exploited to create endless dead
processes on the server causing a possible Denial of Service after many
of them.

These NULL pointers are caused by two factors: the lack of the
Content-Length field in the HTTP request and the usage of invalid
sequences of chars in the CGIs parameters (both of them have been
tested on the included Apache server).


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/officescaz.zip

  nc SERVER 8080 -v -v < officescaz1.txt
  nc SERVER 8080 -v -v < officescaz2.txt
  nc SERVER 8080 -v -v < officescaz3.txt
  nc SERVER 8080 -v -v < officescaz4.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Buffer-overflow in the passwords handling of Trend Micro OfficeScan 8.0 and possibly other products, Luigi Auriemma <=
Previous by Date:  [Full-disclosure] [SECURITY] [DSA 1510-1] New ghostscript packages fix arbitrary code execution, Thijs Kinkhorst
Next by Date:  [Full-disclosure] CORE-2008-0130: VLC media player chunk context validation error, Core Security Technologies Advisories
Previous by Thread:  [Full-disclosure] [SECURITY] [DSA 1510-1] New ghostscript packages fix arbitrary code execution, Thijs Kinkhorst
Next by Thread:  [Full-disclosure] CORE-2008-0130: VLC media player chunk context validation error, Core Security Technologies Advisories
Indexes:  [Date] [Thread] [Top] [All Lists]