Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Assorted Trend Vulns Rev 2.0

From: "Shayne Sivley" <shayne () fennon com>
Date: Tue, 14 Jan 2003 22:07:04 -0700
I think it's good to keep this information open and available, but I
think it should also be noted that these, as noted, are older
vulnerabilities to the older systems respectively.  

TM OfficeScan -> This applies to at least version 3.5.  You shouldn't be
running 3.5 anymore.  Make sure you are current with TM maintenance and
get your systems up to 5.02.  It's a super easy upgrade.  5.5 (I
believe) is due out soon and has some great features, but ultimately the
UI is handled much different than the older version(s) and doesn't allow
this kind of access.

TM TVCS -> Trend Virus Control System has also been replaced.  TVCS was
a brutal product, but in classic style Trend has done a great job in
getting the centralized management to act and install much better.
TMCM, Trend Micro Control Manager, is the replacement and, while it's
pretty bloated, it works well and also is not affected or accessible (as
I understand from TM SE's) by the TVCS issue.  So, you shouldn't be
running TVCS anymore either, see above.  And yes, the TVCS Log info
'vuln' is a huge deal, but you're going to need to get your AV servers
secured or wait for the popping sound and then do it.  

TM SMEX -> I don't have any info on ScanMail for other products as it
relates to this issue, but once again you shouldn't be running ScanMail
for Exchange 3, see above and upgrade to the latest version and just for
giggles, don't use the web UI for management.  While early versions of
SMEX either didn't run right due to the AVAPI not being properly built,
or having to get SMEX to operate with Service Packs, ScanMail for
Exchange has decidedly matured and is running great on E2K SP3.


Here are my tips for you...

1) Your AV servers should be as important to your org as any other
server on the network
2) If you are paying for maintenance, genius, you should know that does
not cover just pattern file updates.  Get your products up to the latest
and greatest.  It's likely that your old keys will not work, so you need
to contact your reseller or TM and get new keys (if you are current on
maintenance). If you're not, you need to be because they are eventually
going to lock down pattern file access.
3) If you didn't hear the popping sound, ask a friend for a tug.
 

Thanks to Rod for raising this to public view once again.  And if you
are sharp as a marble and didn't understand any of this, email me.  Dig?

Shayne Sivley, KC0OTQ
http://www.illumen.com




-----Original Message-----
From: Rod Boron [mailto:rod_boron () yahoo com] 
Sent: Tuesday, January 14, 2003 6:44 PM
To: vulnwatch () vulnwatch org
Subject: [VulnWatch] Assorted Trend Vulns Rev 2.0


Trend Micro Assorted Vulnerabilities
Rev 2.0 01/14/03

Information
_____________________________________

I have had these sitting around for about a year
and just said "fawk it" and am giving 'em to the
community to sort through before they start growing
edible fungi. Not even sure if they work on newer
versions of
Trend software, too busy with other matters and
projects, but I'm thinking they just might. Some may
just be poor configuration and installation practices
by the user, who knows. No real magical bullet buffer
overflows here, just some weird web app practices.
Most can be access controlled or given stricter
permissions
at the OS level.

All of these "vulns", per say, can be accessed
publicly
on servers with poor border controls. Fire up a
friendly
Google session and see!

Despite these oddities, in my opinion, Trend still
excels over others in it's capabilities and
integration
into a corp network.

Well, enjoy, discuss, criticize, elaborate,
manipulate,
evaluate, but please don't devastate.

Rodney Boron 
-Don't underestimate the subtlety of letting others
think they know more than you.

Rod_Boron-AT-Yahoo.com

*******Trend Officescan password change/bypass*******

http://x.x.x.x/officescan/cgi/cgiMasterPwd.exe

Allows you to skip the default /officescan/cgi/cgiChkMasterPwd.exe
and create your own password to login with. Full
access to the web based Officescan
management page now granted. Hell, you can access
all the nice .exe's in the /cgi. This is easily
cured by correcting permissions and access to the 
folder.


*******Trend Micro TVCS IIS Dos*******

http://x.x.x.x/tvcs/activesupport.exe

10 requests for this .exe will cause 10 instances of ActiveSupport.exe
to be started. Each consuming 2.5 M's of memory and causing a Dos effect
on IIS lasting for up to 5 minutes till each instance of the .exe
timesout.


*******Trend Scanmail Password Bypass*******

http://x.x.x.x:16372/smg_Smxcfg30.exe?vcc=3560121183d3

Some magical backdoor Trend installed to bypass
authentication into their web management page for
Scanmail for Exchange. Does it work on other Scanmail
versions?



*******Trend Micro TVCS Log Collector*******

This one gives up the farm and the rooster's eggs.
huh?

http://x.x.x.x/tvcs/getservers.exe?action=selects1

Follow the steps 2-4 and download a very well endowed
zip file. Within holds the kings jewels. Trivial
encrytion protects both the TVCS password and the
service user account and password. Bet lazy admins
are running Trend as administrator. Some other
enumeration goodies in there to tickle one's
imagination.

....................................................

Where "x.x.x.x" is equivalent to:

-----------== Vin Diesel ==-------------
                 in
"The Fast, the Furious, and the Fortran"


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: