Bugtraq mailing list archives
Re: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack
From: shadown <shadown () gmail com>
Date: Fri, 14 Jan 2005 13:04:00 -0300
Hi, If it doesn't have a client application cert, indeed it's a vulnerability. If someone arppoison (well any MiM techniques that could redirect the traffic to pass through you) could portredirect and handle the ssl connection. And sniff it son it's not enough just ssl. Could be done with stunnel, maybe? ;)
We thank you for pointing out this to us and we are grateful that our products are "checked" for security issues! We can sometime like in this case just assume that all think of security issues but the truth is that IT personal have more than security to think about. So things like this are constantly missed!
I've tested officescan (last version)....weak registry permitions. ie: HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\ -> NoPwdProtect = 1 (will enable to unload without pass, as your product doen't apply permission on these reg keys) I remember old versions weak pccsrv sharing permitions (default permission, everyone fullcontrol I mean, comes to mind...infecting autopcc ?). Does it still the same? Cheers, shadown On Thu, 13 Jan 2005 13:06:31 -0800, Hammud_Saway () premium trendmicro com <Hammud_Saway () premium trendmicro com> wrote:
Dear Bugtraq, Here is Trend Micro's reply to this claim This kind of sniffing and "hijacking" of login could be done to almost all ordinary installed http products with login procedure. Since we offer a way to install it with HTTPS(SSL) and making login and communicating with the server secure, we have a internal discussion about if we should call this a "Vulnerability" or not. We have made the R&D promise that next version will be with the question in the installation program for installing SSL support. On the other hand this product should be installed by IT professionals. And it should be obvious to them that IIS in http mode is not security enough. We thank you for pointing out this to us and we are grateful that our products are "checked" for security issues! We can sometime like in this case just assume that all think of security issues but the truth is that IT personal have more than security to think about. So things like this are constantly missed! Here is a link on how to enable HTTPS support for Trend Micro Control Manager http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp ?solutionId=21306 Thanks, Hammud Saway Trend Micro Global Director of Premium ServicesFrom: "CIRT Advisory" <advisory () cirt dk> To: <bugtraq () securityfocus com> Subject: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack Date: Thu, 13 Jan 2005 19:45:53 +0100 X-Mailer: Microsoft Outlook, Build 10.0.6626 The web application are vulnerable to a replay attack, meaning that theusername and password are encrypted but there are not used any form of timestamp to make this mechanism more advanced and secure. If it is possible to sniff the traffic when a user login to the administrative interface, it is possible to replay this sequence and get a valid login session, with the rights of the user. Vendors response to this was, it is a feature not a vulnerability and all the others also have this problem. Read the full advisory at http://www.cirt.dk/advisories/cirt-28-advisory.pdf ---------------------------------------------------------------------- Danish Incident Response Team http://www.cirt.dk ------------------------------------------------------------------------ AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany Phone: +49 (0)391 6075466, <http://www.av-test.org> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
-- Sergio Alvarez Security, Research & Development IT Security Consultant email: shadown () gmail com This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks.
Current thread:
- Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack CIRT Advisory (Jan 13)
- <Possible follow-ups>
- Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack Hammud_Saway (Jan 13)
- Re: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack shadown (Jan 14)