OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (stevesecuresolutions.org)
Date: Mon Oct 15 2001 - 23:45:25 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: snsadvlac.co.jp [mailto:snsadvlac.co.jp]
    Sent: Monday, October 15, 2001 8:35 PM
    Subject: [SNS Advisory No.44] Trend Micro OfficeScan Corporate
    Edition(Virus Buster Corporate Edition) Configuration File Disclosure
    Vulnerability

    ----------------------------------------------------------------------
    SNS Advisory No.44
    Trend Micro OfficeScan Corporate Edition(Virus Buster Corporate Edition)
    Configuration File Disclosure Vulnerability

    Problem first discovered: Wed, 29 Aug 2001
    Published: Tue, 16 Oct 2001
    ----------------------------------------------------------------------

    Overview:
    ---------
      A vulnerability was discovered in Trend Micro OfficeScan Corporate
      Edition (Japanese version: Virus Buster Corporate Edition) that allows
      remote attackers to access configuration files containing passwords.

    Problem Description:
    --------------------
      Trend Micro OfficeScan Corporate Edition (Japanese version: Virus
      Buster Corporate Edition) is an antivirus software for enterprise use.
      This software provides real-time management, real-time configuration
      and updates pattern files on client machines from management console.

      When this software is installed, several virtual directories are
      created in order to provide Web-based management console function.
      However, attackers will be able to access one of these directories,
      /officescan/hotdownload, without authentication. In addition, the
      file stored in this directory, ofcscan.ini, is the configuration file
      used by OfficeScan Corporate Edition.

      If this vulnerability is exploited, an attacker will be able to gain
      access to the configuration information from this file. Moreover,
      although this file stores an encrypted password, it is possible to
      decrypt it easily. For example, OfficeScan Corporate Edition has
      encrypted the following character sequences, "12345":

         701F702132

      This string is generated by a specific algorithm and it is possible
      to decrypt it easily. If an application uses a duplicated password,
      an attacker will be able to cause further impacts on the system.

    Tested Versions:
    ----------------
      OfficeScan Corporate Edition Ver.3.53
      Virus Buster Corporate Edition Ver.3.53

    Tested OS:
    ----------
      Windows NT 4.0 Server + SP6a [English]
      Windows NT 4.0 Server + SP6a [Japanese]

    Solution:
    ---------
      A patch to fix this issue for Virus Buster Corporate Edition is
      available at the following URL:

     
    http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3182

      And we asked Trend Micro about the patch for OfficeScan Corporate
      Edition, however we couldn't get any information.

    Discovered by:
    --------------
      ARAI Yuu (LAC) y.arailac.co.jp

    Disclaimer:
    -----------
     All information in these advisories are subject to change without any
     advanced notices neither mutual consensus, and each of them is released
    as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
    caused by applying those information.

    ------------------------------------------------------------------
    Secure Net Service(SNS) Security Advisory <snsadvlac.co.jp> Computer
    Security Laboratory, LAC http://www.lac.co.jp/security/