Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: DOS in Trendmicro OfficeScan
From: cerberus (c3rberCLUB-INTERNET.FR)
Date: Sat Feb 26 2000 - 12:26:46 CST

OfficeScan is a network based anti-virus product from TrendMicro.
Every NT workstations, Win 3.x, Win 9.x over a LAN can install the
service just by using ActiveX page present onto a web-based centralized
manager ( IIS is needed for that ;) ).
As soon as the software is installed on a client, this last one ll
regularly send a lot of information about its filesystem, hardware,
devices etc...through the network to the antiviral manager. Periodicaly,
the manager will try to send database updates to all the clients using
the TCP 12345 port, thus was used by the infamous netbus.

So after a successfull install, every computer listens on this port with
an HTTP/1.0 compliant daemon.

The problem relies on a possible DOS attack over all the LAN, just by
connecting to all the 12345 open ports !
During the connection between us and the remote target, the remote used
cpu time consumed to process the data is 100%. The user of the remote
workstation will see his machine slow as hell.
Till the connection isn't closed, remote cpu time consumed remains at
the highest level and the remote user will have all the pain to use his
Worst, after only five opened connections to OfficeScan port, daemon
will enter an unreachable state and the security officer won't be able
to upgrade any client.
He 'll have to restart the service on every workstation.

Since this kind of software is specially designed to cover an entire
network, it's possible for a malicious user to significally slow down
the company's activity.

This attack was launched from a linux station against an NT Workstation
4.0 SP5 OfficeScan 3.13 (the most up to date version) with few lines of
shell code.
Win 3.x et 9.x clients may be vulnerables as well.

the little exploit to remotly and definitly grow up cpu-time to 100%:
echo -e -n "GRow UP NOw!\n\n";
)| telnet target 12345

To remotly disable the service, just use it at least 5 times.
Because, clients are regurlaly contacting the manager to send alert and
request, it should be possible to stop the service, the necessary time
for TrendMicro to make a patch.
Please contact them for further questions.

Gregory Duchemin
Network & Security Engineer.