DOS in Trendmicro OfficeScan

From: cerberus (c3rber@CLUB-INTERNET.FR)
Date: Sat Feb 26 2000 - 10:26:46 PST

Next message: Seth R Arnold: "Re: How the password could be recover using FTP Explorer's"

Previous message: Licquia, Jeff: "Re: Local / Remote D.o.S Attack in InterAccess TelnetD Server Rel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,
OfficeScan is a network based anti-virus product from TrendMicro.
Every NT workstations, Win 3.x, Win 9.x over a LAN can install the
service just by using ActiveX page present onto a web-based centralized
manager ( IIS is needed for that ;) ).
As soon as the software is installed on a client, this last one ll
regularly send a lot of information about its filesystem, hardware,
devices etc...through the network to the antiviral manager. Periodicaly,
the manager will try to send database updates to all the clients using
the TCP 12345 port, thus was used by the infamous netbus.

So after a successfull install, every computer listens on this port with
an HTTP/1.0 compliant daemon.

The problem relies on a possible DOS attack over all the LAN, just by
connecting to all the 12345 open ports !
During the connection between us and the remote target, the remote used
cpu time consumed  to process the data is 100%. The user of the remote
workstation will see his machine slow as hell.
Till the connection isn't closed, remote cpu time consumed remains at
the highest level and the remote user will have all the pain to use his
computer.
Worst, after only five opened connections to OfficeScan port, daemon
will enter an unreachable state and the security officer won't be able
to upgrade any client.
He 'll have to restart the service on every workstation.

Since this kind of software is specially designed to cover an entire
network, it's possible for a malicious user to significally slow down
the company's activity.

This attack was launched from a linux station against  an NT Workstation
4.0 SP5 OfficeScan 3.13 (the most up to date version) with few lines of
shell code.
Win 3.x et 9.x clients may be vulnerables as well.

the little exploit to remotly and definitly grow up cpu-time to 100%:
#!/bin/sh
(
echo -e -n "GRow UP NOw!\n\n";
)| telnet target 12345

To remotly disable the service, just use it at least 5 times.
Because, clients are regurlaly contacting the manager to send alert and
request, it should be possible to stop the service, the necessary time
for TrendMicro to make a patch.
Please contact them for further questions.

===================
Gregory Duchemin
Network & Security Engineer.
gdnat_private
===================

Next message: Seth R Arnold: "Re: How the password could be recover using FTP Explorer's"
Previous message: Licquia, Jeff: "Re: Local / Remote D.o.S Attack in InterAccess TelnetD Server Rel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:28 PDT