Bugtraq mailing list archives

DOS in Trendmicro OfficeScan

From: c3rber () CLUB-INTERNET FR (cerberus)
Date: Sat, 26 Feb 2000 19:26:46 +0100


hi,
OfficeScan is a network based anti-virus product from TrendMicro.
Every NT workstations, Win 3.x, Win 9.x over a LAN can install the
service just by using ActiveX page present onto a web-based centralized
manager ( IIS is needed for that ;) ).
As soon as the software is installed on a client, this last one ll
regularly send a lot of information about its filesystem, hardware,
devices etc...through the network to the antiviral manager. Periodicaly,
the manager will try to send database updates to all the clients using
the TCP 12345 port, thus was used by the infamous netbus.

So after a successfull install, every computer listens on this port with
an HTTP/1.0 compliant daemon.

The problem relies on a possible DOS attack over all the LAN, just by
connecting to all the 12345 open ports !
During the connection between us and the remote target, the remote used
cpu time consumed  to process the data is 100%. The user of the remote
workstation will see his machine slow as hell.
Till the connection isn't closed, remote cpu time consumed remains at
the highest level and the remote user will have all the pain to use his
computer.
Worst, after only five opened connections to OfficeScan port, daemon
will enter an unreachable state and the security officer won't be able
to upgrade any client.
He 'll have to restart the service on every workstation.

Since this kind of software is specially designed to cover an entire
network, it's possible for a malicious user to significally slow down
the company's activity.

This attack was launched from a linux station against  an NT Workstation
4.0 SP5 OfficeScan 3.13 (the most up to date version) with few lines of
shell code.
Win 3.x et 9.x clients may be vulnerables as well.

the little exploit to remotly and definitly grow up cpu-time to 100%:
#!/bin/sh
(
echo -e -n "GRow UP NOw!\n\n";
)| telnet target 12345

To remotly disable the service, just use it at least 5 times.
Because, clients are regurlaly contacting the manager to send alert and
request, it should be possible to stop the service, the necessary time
for TrendMicro to make a patch.
Please contact them for further questions.

===================
Gregory Duchemin
Network & Security Engineer.
gdn () neurocom com
===================

Current thread:

SSH & xauth Brian Caswell (Feb 24)
- Re: SSH & xauth Andrey (Feb 25)
- Re: SSH & xauth David Terrell (Feb 25)
- Re: SSH & xauth Robert Watson (Feb 25)
  - Re: SSH & xauth Lionel Cons (Feb 28)
- Re: SSH & xauth David Pybus (Feb 26)
  - Re: SSH & xauth Robert Watson (Feb 28)
  - xterm log file vulnerability Morten Welinder (Feb 29)
  - false alarms by real secure Danton Nunes (Feb 29)
  - New ZZ Posted Simple Nomad (Feb 29)
- DOS in Trendmicro OfficeScan cerberus (Feb 26)
- Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 27)
- <Possible follow-ups>
- Re: SSH & xauth Oliver Friedrichs (Feb 25)
  - Re: SSH & xauth Theo de Raadt (Feb 27)
    - Re: SSH & xauth Cy Schubert - ITSD Open Systems Group (Feb 28)
    - Serv-U FTP-Server v2.4a showing real path Berk Ulsoy (Feb 28)
    - Re: SSH & xauth Robert Watson (Feb 28)
    - Re: SSH & xauth Niels Provos (Feb 28)
- Re: SSH & xauth Brian (Feb 28)
- Re: SSH & xauth Robert Watson (Feb 28)