COMMAND

    OfficeScan

SYSTEMS AFFECTED

    OfficeScan

PROBLEM

    Gregory Duchemin found following.   OfficeScan is a network  based
    anti-virus product  from TrendMicro.   Every NT  workstations, Win
    3.x, Win  9.x over  a LAN  can install  the service  just by using
    ActiveX page  present onto  a web-based  centralized manager  (IIS
    is needed for that).   As soon as the  software is installed on  a
    client, this  last one  will regularly  send a  lot of information
    about its filesystem, hardware, devices etc...through the  network
    to the antiviral  manager.  Periodicaly,  the manager will  try to
    send database updates to all the clients using the TCP 12345 port,
    thus was  used by  the infamous  netbus.   So after  a successfull
    install,  every  computer  listens  on  this port with an HTTP/1.0
    compliant daemon.

    The problem  relies on  a possible  DOS attack  over all  the LAN,
    just  by  connecting  to  all  the  12345  open ports!  During the
    connection between us and the  remote target, the remote used  cpu
    time consumed to process the data is 100%.  The user of the remote
    workstation  will  see  his  machine  slow  as  hell.   Till   the
    connection isn't closed, remote  cpu time consumed remains  at the
    highest level and the  remote user will have  all the pain to  use
    his  computer.   Worst,  after  only  five  opened  connections to
    OfficeScan port, daemon  will enter an  unreachable state and  the
    security officer won't be able to upgrade any client.  He'll  have
    to restart the service on every workstation.

    Since this  kind of  software is  specially designed  to cover  an
    entire network, it's possible for a malicious user to significally
    slow down the company's activity.  This attack was launched from a
    linux station against  an NT Workstation  4.0 SP5 OfficeScan  3.50
    with few  lines of  shell code.   Win 3.x  et 9.x  clients may  be
    vulnerables as well.  The little exploit to remotly and  definitly
    grow up cpu-time to 100%:

        #!/bin/sh
        (
        echo -e -n "GRow UP NOw!\n\n";
        )| telnet target 12345

    To remotly  disable the  service, just  use it  at least  5 times.
    Because,  clients  are  regurlaly  contacting  the manager to send
    alert and request, it should be possible to stop the service,  the
    necessary time for TrendMicro to make a patch.

SOLUTION

    Trend is making patch.