| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jul 2008 11:09:50 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re:
Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability
On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad
<elazar@...hmail.com> wrote:
>Who:
>Trend Micro
>http://www.trendmicro.com
>
>What:
>OfficeScan 7.3 build 1343(Patch 4) and older
>http://www.trendmicro.com/download/product.asp?productid=5
>
>How:
>OfficeScan's Web Console utilizes several ActiveX controls when
>deploying the product through the web interface. One of these
>controls, objRemoveCtrl, is vulnerable to a stack-based buffer
>overflow when embedded in a webpage. The one caveat to this issue
>is that the control must be embedded in such a way that it CAN be
>visible, i.e. obj = new ActiveXObject() will not work. The issue
>lies in the code that is used to display certain properties and
>their values on the control when it is embedded in a page.
>
>OfficeScanRemoveCtrl.dll, version 7.3.0.1020
>{5EFE8CB1-D095-11D1-88FC-0080C859833B}
>Commonly located: systemdrive\Windows\Downloaded Program Files
>CAB location on server: officescan install
>path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab
>
>
>The following properties are vulnerable:
>
>HttpBased
>LatestPatternServer
>LatestPatternURL
>LocalServerPort
>MasterDirectory
>MoreFiles
>PatternFilename
>ProxyLogin
>ProxyPassword
>ProxyPort
>ProxyServer
>RegistryINIFilename
>Server
>ServerIniFile
>ServerPort
>ServerSubDir
>ServiceDisplayName
>ServiceFilename
>ServiceName
>ShellExtensionFilename
>ShortcutFileList
>ShortcutNameList
>UninstallPassword
>UnloadPassword
>UseProxy
>
>Workaround:
>Set the killbit for the affected control. See
>http://support.microsoft.com/KB/240797
>
>Fix:
>As stated below, reportedly there are patches for this issue,
>however, I have been able to exploit this issue in a test
>environment running OfficeScan 7.3 patch 4(latest available
>patch).
>
>Timeline:
>06/27/2008 -> Vulnerability discovered and reported to iDefense
>07/02/2008 <- Request for further information
>07/16/2008 <- iDefense states that patches exist which resolve
>this
>issue
>07/16/2008 -> Request clarification regarding which patches
>resolve
>this issue. No response
>07/20/2008 -> Follow up regarding patches. No response
>07/28/2008 - Disclosure
Another possible fix for this is to copy the RemoveCtrl.cab from
8.0(you can download it from here
http://www.trendmicro.com/download/product.asp?productid=5, as
stated above, 8.x is not vulnerable since the control uses *_s
functions as opposed to the standard C functions). The 8.0 critical
patch B1242 has a copy of this CAB so you don't need to download
the entire 8.0 package, and replace the one located in the
ClientInstall folder on the OfficeScan server. I have not tested to
see if this breaks web deployment or not.
--
Get great prices on a huge selection of brand name silk ties. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists