lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 28 Jul 2008 13:14:37 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Trend Micro OfficeScan ObjRemoveCtrl ActiveX
	Control Buffer Overflow Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Trend Micro
http://www.trendmicro.com

What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5

How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.

OfficeScanRemoveCtrl.dll, version 7.3.0.1020
{5EFE8CB1-D095-11D1-88FC-0080C859833B}
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab


The following properties are vulnerable:

HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/KB/240797

Fix:
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available patch).

Timeline:
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve this
issue
07/16/2008 -> Request clarification regarding which patches resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkiN/hsACgkQi04xwClgpZiTrQP+M9MX2MgvLk+HaMgmYghBRQaTG89M
bb0RywlP2UY6/P9qIk0W3AfI1UsVZUPcTduvo+/BKIR7s5M/m+VTa74lEMH5FHQ17QZ6
tAAKI/TYGl7YWG/+4Zj7n8hpjIhT7AahtjbASTwUxSv3pFet/9DMM9nrCXolR0+bsajy
nJzOnmg=
=kQK+
-----END PGP SIGNATURE-----

--
Discover hidden treasures! Click now for a new metal detector!
http://tagline.hushmail.com/fc/Ioyw6h4c5jwe35WKO72pIZH3J68Qr1p1BCzmhxGSAr9zTajkwjyaNq/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ