|
Trend Micro OfficeScan CGI Module and Policy Server Buffer Overflows
|
|
|
|
|
Secunia Advisory:
|
SA29124
|
|
|
Release Date:
|
2008-02-28
|
|
Last Update:
|
2008-03-28
|
|
|
Critical:
|

Moderately critical
|
|
Impact:
|
DoS System access
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Trend Micro OfficeScan Corporate Edition 6.x Trend Micro OfficeScan Corporate Edition 7.x
|
| | CVE reference: | CVE-2008-1365 (Secunia mirror) CVE-2008-1366 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product? - Companies can be alerted via email and SMS! |
|
|
Description: Luigi Auriemma has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
1) A boundary error in cgiChkMasterPwd.exe can be exploited to cause a stack-based buffer overflow via an HTTP request with a specially crafted, overly long "TMLogonEncrypted" parameter.
Successful exploitation allows execution of arbitrary code.
2) Boundary errors in PolicyServer.exe can be exploited to cause stack-based buffer overflows via an HTTP request to the cgiABLogon.exe CGI module with a specially crafted, overly long "pwd" parameter.
Successful exploitation allows execution of arbitrary code but requires that the Trend Micro Policy Server for Cisco NAC is installed.
Other errors, e.g. NULL-pointer dereference errors in certain CGI modules when handling HTTP requests containing certain characters or with invalid "Content-Length" headers, have also been reported.
The vulnerabilities are confirmed in version 7.3 with Patch 3 build 1314. Other versions may also be affected.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, scan using the Network Software Inspector.
Solution: Apply patches.
OfficeScan 6.5:
http://www.trendmicro.com/ftp/product...CE_6.5_Win_EN_CriticalPatch_B1467.exe
OfficeScan 7.0:
http://www.trendmicro.com/ftp/product...CE_7.0_Win_EN_CriticalPatch_B1386.exe
OfficeScan 7.3:
http://www.trendmicro.com/ftp/product...CE_7.3_Win_EN_CriticalPatch_B1337.exe
Provided and/or discovered by: Luigi Auriemma
Changelog: 2008-02-29: Updated vulnerability #2 description based on additional information from Secunia Research.
2008-03-19: Added CVE reference.
2008-03-28: Updated "Solution" section and added OfficeScan 6.x in list of affected software.
Original Advisory: Trend Micro:
http://www.trendmicro.com/ftp/documen...Win_EN_CriticalPatch_B1467_readme.txt
http://www.trendmicro.com/ftp/documen...Win_EN_CriticalPatch_B1386_readme.txt
http://www.trendmicro.com/ftp/documen...Win_EN_CriticalPatch_B1337_readme.txt
Luigi Auriemma:
http://aluigi.altervista.org/adv/officescaz-adv.txt
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
10 Related Secunia Security Advisories
|
|
|
1. Trend Micro Scan Engine Tmxpflt.sys Privilege Escalation Vulnerability
|
|
2. Trend Micro OfficeScan CGI Modules Buffer Overflow and Authentication Bypass
|
|
3. Trend Micro Products UPX Processing Denial of Service
|
|
4. Trend Micro OfficeScan Client ActiveX Control Buffer Overflows
|
|
5. Trend Micro Products UPX Processing Buffer Overflow Vulnerability
|
|
6. Trend Micro Products RAR Processing Denial Of Service
|
|
7. OfficeScan Corporate Edition "ATXCONSOLE.OCX" Format String Vulnerability
|
|
8. Trend Micro OfficeScan Client Removal and Arbitrary File Deletion
|
|
9. Trend Micro Products AntiVirus Library Buffer Overflow
|
|
10. Trend Micro OfficeScan Insecure Registry Key and Directory Permissions
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|