Re: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack

[shadown <shadown () gmail com>]

Hi,

If it doesn't have a client application cert, indeed it's a
vulnerability. If someone arppoison (well any MiM techniques that
could redirect the traffic to pass through you) could portredirect and
handle the ssl connection. And sniff it son it's not enough just ssl.
Could be done with stunnel, maybe? ;)

> We thank you for pointing out this to us and we are grateful that our
> products are "checked" for security issues! We can sometime like in this
> case just assume that all think of security issues but the truth is that
> IT personal have more than security to think about. So things like this
> are constantly missed!

I've tested officescan (last version)....weak registry permitions.
ie:
HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\ ->
NoPwdProtect = 1
(will enable to unload without pass, as your product doen't apply
permission on these reg keys)

I remember old versions weak pccsrv sharing permitions (default permission,
everyone fullcontrol I mean, comes to mind...infecting autopcc ?).
Does it still the same?

Cheers,
   shadown


On Thu, 13 Jan 2005 13:06:31 -0800,
Hammud_Saway () premium trendmicro com
<Hammud_Saway () premium trendmicro com> wrote:
> Dear Bugtraq,
>
> Here is Trend Micro's reply to this claim
>
> This kind of sniffing and "hijacking" of login could be done to almost
> all ordinary installed http products with login procedure.
> Since we offer a way to install it with HTTPS(SSL) and making login and
> communicating with the server secure, we have a internal discussion
> about if we should call this a "Vulnerability" or not.
> We have made the R&D promise that next version will be with the question
> in the installation program for installing SSL support.
> On the other hand this product should be installed by IT professionals.
> And it should be obvious to them that IIS in http mode is not security
> enough.
> We thank you for pointing out this to us and we are grateful that our
> products are "checked" for security issues! We can sometime like in this
> case just assume that all think of security issues but the truth is that
> IT personal have more than security to think about. So things like this
> are constantly missed!
>
> Here is a link on how to enable HTTPS support for Trend Micro Control
> Manager
> http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp
> ?solutionId=21306
>
> Thanks,
> Hammud Saway
>
> Trend Micro
> Global Director of Premium Services
>
> > From: "CIRT Advisory" <advisory () cirt dk>
> > To: <bugtraq () securityfocus com>
> > Subject: Trend Micro Control Manager - Enterprise Edition 3.0 Web
> > application Replay attack
> > Date: Thu, 13 Jan 2005 19:45:53 +0100
> > X-Mailer: Microsoft Outlook, Build 10.0.6626
> >
> > The web application are vulnerable to a replay attack, meaning that the
>
> > username and password are encrypted but there are not used any form of
> > timestamp to make this mechanism more advanced and secure.
> >
> > If it is possible to sniff the traffic when a user login to the
> > administrative interface, it is possible to replay this sequence and
> > get a valid login session, with the rights of the user.
> >
> > Vendors response to this was, it is a feature not a vulnerability and
> > all the others also have this problem.
> >
> > Read the full advisory at
> > http://www.cirt.dk/advisories/cirt-28-advisory.pdf
> >
> > ----------------------------------------------------------------------
> > Danish Incident Response Team
> > http://www.cirt.dk
> > ----------------------------------------------------------------------
>
> --
> AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany
> Phone: +49 (0)391 6075466, <http://www.av-test.org>
>
> TREND MICRO EMAIL NOTICE
> The information contained in this email and any attachments is confidential and may be subject to copyright or other 
> intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose 
> this information, and we request that you notify us by reply mail or telephone and delete the original message from 
> your mail system.


-- 
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown () gmail com

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.