Vulnwatch mailing list archives
RE: Assorted Trend Vulns Rev 2.0
From: "Shayne Sivley" <shayne () fennon com>
Date: Tue, 14 Jan 2003 22:07:04 -0700
I think it's good to keep this information open and available, but I think it should also be noted that these, as noted, are older vulnerabilities to the older systems respectively. TM OfficeScan -> This applies to at least version 3.5. You shouldn't be running 3.5 anymore. Make sure you are current with TM maintenance and get your systems up to 5.02. It's a super easy upgrade. 5.5 (I believe) is due out soon and has some great features, but ultimately the UI is handled much different than the older version(s) and doesn't allow this kind of access. TM TVCS -> Trend Virus Control System has also been replaced. TVCS was a brutal product, but in classic style Trend has done a great job in getting the centralized management to act and install much better. TMCM, Trend Micro Control Manager, is the replacement and, while it's pretty bloated, it works well and also is not affected or accessible (as I understand from TM SE's) by the TVCS issue. So, you shouldn't be running TVCS anymore either, see above. And yes, the TVCS Log info 'vuln' is a huge deal, but you're going to need to get your AV servers secured or wait for the popping sound and then do it. TM SMEX -> I don't have any info on ScanMail for other products as it relates to this issue, but once again you shouldn't be running ScanMail for Exchange 3, see above and upgrade to the latest version and just for giggles, don't use the web UI for management. While early versions of SMEX either didn't run right due to the AVAPI not being properly built, or having to get SMEX to operate with Service Packs, ScanMail for Exchange has decidedly matured and is running great on E2K SP3. Here are my tips for you... 1) Your AV servers should be as important to your org as any other server on the network 2) If you are paying for maintenance, genius, you should know that does not cover just pattern file updates. Get your products up to the latest and greatest. It's likely that your old keys will not work, so you need to contact your reseller or TM and get new keys (if you are current on maintenance). If you're not, you need to be because they are eventually going to lock down pattern file access. 3) If you didn't hear the popping sound, ask a friend for a tug. Thanks to Rod for raising this to public view once again. And if you are sharp as a marble and didn't understand any of this, email me. Dig? Shayne Sivley, KC0OTQ http://www.illumen.com -----Original Message----- From: Rod Boron [mailto:rod_boron () yahoo com] Sent: Tuesday, January 14, 2003 6:44 PM To: vulnwatch () vulnwatch org Subject: [VulnWatch] Assorted Trend Vulns Rev 2.0 Trend Micro Assorted Vulnerabilities Rev 2.0 01/14/03 Information _____________________________________ I have had these sitting around for about a year and just said "fawk it" and am giving 'em to the community to sort through before they start growing edible fungi. Not even sure if they work on newer versions of Trend software, too busy with other matters and projects, but I'm thinking they just might. Some may just be poor configuration and installation practices by the user, who knows. No real magical bullet buffer overflows here, just some weird web app practices. Most can be access controlled or given stricter permissions at the OS level. All of these "vulns", per say, can be accessed publicly on servers with poor border controls. Fire up a friendly Google session and see! Despite these oddities, in my opinion, Trend still excels over others in it's capabilities and integration into a corp network. Well, enjoy, discuss, criticize, elaborate, manipulate, evaluate, but please don't devastate. Rodney Boron -Don't underestimate the subtlety of letting others think they know more than you. Rod_Boron-AT-Yahoo.com *******Trend Officescan password change/bypass******* http://x.x.x.x/officescan/cgi/cgiMasterPwd.exe Allows you to skip the default /officescan/cgi/cgiChkMasterPwd.exe and create your own password to login with. Full access to the web based Officescan management page now granted. Hell, you can access all the nice .exe's in the /cgi. This is easily cured by correcting permissions and access to the folder. *******Trend Micro TVCS IIS Dos******* http://x.x.x.x/tvcs/activesupport.exe 10 requests for this .exe will cause 10 instances of ActiveSupport.exe to be started. Each consuming 2.5 M's of memory and causing a Dos effect on IIS lasting for up to 5 minutes till each instance of the .exe timesout. *******Trend Scanmail Password Bypass******* http://x.x.x.x:16372/smg_Smxcfg30.exe?vcc=3560121183d3 Some magical backdoor Trend installed to bypass authentication into their web management page for Scanmail for Exchange. Does it work on other Scanmail versions? *******Trend Micro TVCS Log Collector******* This one gives up the farm and the rooster's eggs. huh? http://x.x.x.x/tvcs/getservers.exe?action=selects1 Follow the steps 2-4 and download a very well endowed zip file. Within holds the kings jewels. Trivial encrytion protects both the TVCS password and the service user account and password. Bet lazy admins are running Trend as administrator. Some other enumeration goodies in there to tickle one's imagination. .................................................... Where "x.x.x.x" is equivalent to: -----------== Vin Diesel ==------------- in "The Fast, the Furious, and the Fortran" __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- Assorted Trend Vulns Rev 2.0 Rod Boron (Jan 14)
- RE: Assorted Trend Vulns Rev 2.0 Shayne Sivley (Jan 14)