Hosting Provided By

RE: Assorted Trend Vulns Rev 2.0

From: herbert tenhagen <herbert.tenhagen(at)trendmicro.de>
Date: Wed Jan 22 2003 - 08:41:02 EST

Rob:

> *******Trend Officescan password change/bypass*******
Trend Micro developed an adminstration tool called "CGI_NTFS". This Tool is part of the toolbox which gets installed by default during the OfficeScan installation. Since Officescan Version 5.02 this toolbox is also available via the administration web interface. For deeper detailed information please look into solution id#13353 in the solutionbank of Trend Micro
(http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13353).

> *******Trend Scanmail Password Bypass*******
Trend Micro is aware of this vulnerability and provides workarounds and fixes at:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13352

ScanMail for Exchange v3.81 (for Microsoft Exchange Server 5.5) and ScanMail for Exchange v6.1 (for Microsoft Exchange Server 2000) are not affected by this vulnerability.

> *******Trend Micro TVCS IIS Dos*******
> *******Trend Micro TVCS Log Collector*******
TVCS has been replaced through TMCM (Trend Micro Control Manager). This product is not affected.

regards

Herbert Tenhagen

Do you need help?

ps: your mail was queued for 7 days at securityfocus before it was announced at vuln-dev. That's the reason for the delayed answer.

...
Received: from outgoing3.securityfocus.com (outgoing3.securityfocus.com [205.206.231.27])

	by mail.client.tld (8.12.7/8.12.7) with ESMTP id h0KJTRlY552375
	for ; Wed, 22 Jan 2003 00:15:36 +0100

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])

	by outgoing3.securityfocus.com (Postfix) with QMQP
	id 3DD41A5192; Fri, 17 Jan 2003 13:15:15 -0700 (MST)

...
Received: (qmail 27418 invoked from network); 15 Jan 2003 01:13:16 -0000 ...
Date: Tue, 14 Jan 2003 17:44:20 -0800 (PST) From: Rod Boron <rod_boron@yahoo.com>
Subject: Assorted Trend Vulns Rev 2.0
To: vuln-dev@securityfocus.com
...

-----Original Message-----
From: Rod Boron [mailto:rod_boron@yahoo.com] Sent: Mittwoch, 15. Januar 2003 02:44
To: vuln-dev@securityfocus.com
Subject: Assorted Trend Vulns Rev 2.0

Trend Micro Assorted Vulnerabilities
Rev 2.0 01/14/03

Information

I have had these sitting around for about a year and just said "fawk it" and am giving 'em to the community to sort through before they start growing edible fungi. Not even sure if they work on newer versions of
Trend software, too busy with other matters and projects, but I'm thinking they just might. Some may just be poor configuration and installation practices by the user, who knows. No real magical bullet buffer overflows here, just some weird web app practices. Most can be access controlled or given stricter permissions
at the OS level.

All of these "vulns", per say, can be accessed publicly
on servers with poor border controls. Fire up a friendly
Google session and see!

Despite these oddities, in my opinion, Trend still excels over others in it's capabilities and integration
into a corp network.

Do you need more help?

Well, enjoy, discuss, criticize, elaborate, manipulate,
evaluate, but please don't devastate.

Rodney Boron
-Don't underestimate the subtlety of letting others think they know more than you.

Rod_Boron-AT-Yahoo.com

*******Trend Officescan password change/bypass*******

http://x.x.x.x/officescan/cgi/cgiMasterPwd.exe

Allows you to skip the default
/officescan/cgi/cgiChkMasterPwd.exe
and create your own password to login with. Full access to the web based Officescan
management page now granted. Hell, you can access all the nice .exe's in the /cgi. This is easily cured by correcting permissions and access to the folder.

*******Trend Micro TVCS IIS Dos*******

http://x.x.x.x/tvcs/activesupport.exe

Can we help you?

10 requests for this .exe will cause 10 instances of ActiveSupport.exe to be started. Each consuming 2.5 M's of memory and causing a Dos effect on IIS lasting for up to 5 minutes till each instance of the .exe timesout.

*******Trend Scanmail Password Bypass*******

http://x.x.x.x:16372/smg_Smxcfg30.exe?vcc=3560121183d3

Some magical backdoor Trend installed to bypass authentication into their web management page for Scanmail for Exchange. Does it work on other Scanmail versions?

*******Trend Micro TVCS Log Collector*******

This one gives up the farm and the rooster's eggs. huh?

http://x.x.x.x/tvcs/getservers.exe?action=selects1

Follow the steps 2-4 and download a very well endowed zip file. Within holds the kings jewels. Trivial encrytion protects both the TVCS password and the service user account and password. Bet lazy admins are running Trend as administrator. Some other enumeration goodies in there to tickle one's imagination.

....................................................

Can't find what you're looking for?

Where "x.x.x.x" is equivalent to:

-----------== Vin Diesel ==-------------

in

"The Fast, the Furious, and the Fortran"

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Received on Thu Jan 23 13:32:53 2003

This message: [ Message body ]
Next message: H C: "Re: What to do with a vulerability?"
Previous message: The Blueberry: "Re: Need help w/ Dell Windows security issue"
In reply to Rod Boron: "Assorted Trend Vulns Rev 2.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:37 EDT