hi, OfficeScan is a network based anti-virus product from TrendMicro. Every NT workstations, Win 3.x, Win 9.x over a LAN can install the service just by using ActiveX page present onto a web-based centralized manager ( IIS is needed for that ;) ). As soon as the software is installed on a client, this last one ll regularly send a lot of information about its filesystem, hardware, devices etc...through the network to the antiviral manager. Periodicaly, the manager will try to send database updates to all the clients using the TCP 12345 port, thus was used by the infamous netbus. So after a successfull install, every computer listens on this port with an HTTP/1.0 compliant daemon. The problem relies on a possible DOS attack over all the LAN, just by connecting to all the 12345 open ports ! During the connection between us and the remote target, the remote used cpu time consumed to process the data is 100%. The user of the remote workstation will see his machine slow as hell. Till the connection isn't closed, remote cpu time consumed remains at the highest level and the remote user will have all the pain to use his computer. Worst, after only five opened connections to OfficeScan port, daemon will enter an unreachable state and the security officer won't be able to upgrade any client. He 'll have to restart the service on every workstation. Since this kind of software is specially designed to cover an entire network, it's possible for a malicious user to significally slow down the company's activity. This attack was launched from a linux station against an NT Workstation 4.0 SP5 OfficeScan 3.13 (the most up to date version) with few lines of shell code. Win 3.x et 9.x clients may be vulnerables as well. the little exploit to remotly and definitly grow up cpu-time to 100%: #!/bin/sh ( echo -e -n "GRow UP NOw!\n\n"; )| telnet target 12345 To remotly disable the service, just use it at least 5 times. Because, clients are regurlaly contacting the manager to send alert and request, it should be possible to stop the service, the necessary time for TrendMicro to make a patch. Please contact them for further questions. =================== Gregory Duchemin Network & Security Engineer. gdnat_private ===================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:28 PDT