COMMAND
OfficeScan
SYSTEMS AFFECTED
- Trend OfficeScan Corporate Edition 3.0
- Trend OfficeScan Corporate Edition 3.11
- Trend OfficeScan Corporate Edition 3.13
- Trend OfficeScan Corporate Edition 3.50
- Trend OfficeScan Corporate Edition 3.51
- Trend OfficeScan for Microsoft SBS 4.5
PROBLEM
Gregory Duchemin found following. He has recently discussed
about the numerous security holes present in officescan clients
installed all over the lan, so now let's talk a bit about the
server side security.
The web based manager features are, in fact, a bunch of cgi that
are requested by the LAN admin through a IIS web server. All of
this cgi are stored in the ofcscan/Web/Cgi directory. Please
verify first that everybody doesn't have the rights to modify
these files otherwise you may go into big troubles ;)
In a normal way of use, the admin, with his browser, asks for the
url http://officescan-admin-server/officescan/ and then, he
receives an html based authentication form requiring an admin
password to go into the main menu. This looks quiet usual but
NOT really !...look at this now
1- there is no encryption, the password is diffused in plain text
format on the wire.
Every LAN users may sniff this password and uses it like the
admin does even in a switched environment (with a little arp
game). There is a race condition, for switched networks
between the authentication form request and the real submission
of this form. Any average skilled user may be able to mount up
a web server on his own workstation and spoof the mac adress of
the actual officescan web server. To catch the POST when the
officescan admin is logging in. The http interresting field
is: TMLogon=password
2- In fact, there is a much more serious problem in the web bases
security architecture.
A malicious user inside the corporate network doesn't have need
of any admin password to remotely manage all the clients.
Because there is no session concept in the web based officescan
server, anybody is able to directly ask any cgi that are
normally used only after authentication. One of this very
important is called jdkRqNotify.exe, it takes two arguments:
domain=your_domain and event=code, no id session, no security
mecanism...just lame ! This is an example in a virtual NT
domain named "T4rget"
http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=12
event=12 means uninstallation of any remote workstation antivirus.
After submission of this url, our hacker gets an html form asking
him for a machine name to uninstall. This method is a bit
simplier that other i described in my last posts. There are
numerous event codes, these are few of them:
11: scan now
12: uninstall
14: rool back
15: New alert message
16: New Intranet Proxy
17: New priviledge
18: New protocol
19: New password
20: New client
etc...
Some of this event code need some previous actions to be
completed. This is the case for New alert message that need a
call to cgimsgalert.exe, used to modify the plain text message,
before notify it to all clients. our malicious user can
customize this message for everybody accordingly to his mood.
1- http://web-based-server/officescan/cgi/cgimsgalert.exe -->
html form with textarea for message
2- the hacker submit the form
3- http://web-based-server/officescan/cgi/jdkRqNotify.exe?domain=T4rget&event=15
4- the hacker choose to notify every network clients and
specially the ceo one
5- When infected, machines will display the personal hacker's
message on the screen.
Among other good things, the hacker will be able to change the
proxy configuration to catch new files signatures, password onto
the clients, priviledge for the clients etc...
SOLUTION
This vulnerability is only present when the above software
version is installed on a Windows NT server with IIS. It is not
present when the above software version is installed on Novell
NetWare servers or Windows NT server without IIS. Patch
availability
http://www.antivirus.com/download/ofce_patch.htm