Assorted Trend Vulns Rev 2.0

Trend Micro Assorted Vulnerabilities
Rev 2.0 01/14/03

Information

I have had these sitting around for about a year and just said "fawk it" and am giving 'em to the community to sort through before they start growing edible fungi. Not even sure if they work on newer versions of
Trend software, too busy with other matters and projects, but I'm thinking they just might. Some may just be poor configuration and installation practices by the user, who knows. No real magical bullet buffer overflows here, just some weird web app practices. Most can be access controlled or given stricter permissions
at the OS level.

All of these "vulns", per say, can be accessed publicly
on servers with poor border controls. Fire up a friendly
Google session and see!

Despite these oddities, in my opinion, Trend still excels over others in it's capabilities and integration
into a corp network.

Well, enjoy, discuss, criticize, elaborate, manipulate,
evaluate, but please don't devastate.

Rodney Boron
-Don't underestimate the subtlety of letting others think they know more than you.

Rod_Boron-AT-Yahoo.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

*******Trend Officescan password change/bypass*******

http://x.x.x.x/officescan/cgi/cgiMasterPwd.exe

Allows you to skip the default
/officescan/cgi/cgiChkMasterPwd.exe
and create your own password to login with. Full access to the web based Officescan
management page now granted. Hell, you can access all the nice .exe's in the /cgi. This is easily cured by correcting permissions and access to the folder.

*******Trend Micro TVCS IIS Dos*******

http://x.x.x.x/tvcs/activesupport.exe

10 requests for this .exe will cause 10 instances of ActiveSupport.exe to be started. Each consuming 2.5 M's of memory and causing a Dos effect on IIS lasting for up to 5 minutes till each instance of the .exe timesout.

*******Trend Scanmail Password Bypass*******

http://x.x.x.x:16372/smg_Smxcfg30.exe?vcc=3560121183d3

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Some magical backdoor Trend installed to bypass authentication into their web management page for Scanmail for Exchange. Does it work on other Scanmail versions?

*******Trend Micro TVCS Log Collector*******

This one gives up the farm and the rooster's eggs. huh?

http://x.x.x.x/tvcs/getservers.exe?action=selects1

Follow the steps 2-4 and download a very well endowed zip file. Within holds the kings jewels. Trivial encrytion protects both the TVCS password and the service user account and password. Bet lazy admins are running Trend as administrator. Some other enumeration goodies in there to tickle one's imagination.

....................................................

Where "x.x.x.x" is equivalent to:

-----------== Vin Diesel ==-------------

                 in