Trend Micro OfficeScan Buffer Overflow in ActiveX Control Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1020569
|
|
SecurityTracker URL: http://securitytracker.com/id?1020569
|
|
CVE Reference: CVE-2008-3364
(Links to External Site)
|
Updated: Aug 11 2008
|
Original Entry Date: Jul 29 2008
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 7.0, 7.3, 8.0
|
Description: A vulnerability was reported in Trend Micro OfficeScan. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in the objRemoveCtrl
control and execute arbitrary code on the target system. The code will run with the privileges of the target user.
The CLSID
of the vulnerable control is: 5EFE8CB1-D095-11D1-88FC-0080C859833B
The vendor notes that Trend Micro Worry-Free Business Security
(WFBS) version 5.0 and Trend Micro Client Server Messaging Security (CSM) versions 3.5 and 3.6 are also affected.
Elazar Broad
reported this vulnerability.
|
Impact: A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution: The vendor has issued a fix.
The vendor's advisory is available at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899
|
Vendor URL: esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899 (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "Elazar Broad" <elazar@hushmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 28 Jul 2008 13:14:37 -0400
From: "Elazar Broad" <elazar@hushmail.com>
Subject: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Who:
Trend Micro
http://www.trendmicro.com
What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5
How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.
OfficeScanRemoveCtrl.dll, version 7.3.0.1020
{5EFE8CB1-D095-11D1-88FC-0080C859833B}
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab
The following properties are vulnerable:
HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy
Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/KB/240797
Fix:
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available patch).
Timeline:
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve this
issue
07/16/2008 -> Request clarification regarding which patches resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQECAAYFAkiN/hsACgkQi04xwClgpZiTrQP+M9MX2MgvLk+HaMgmYghBRQaTG89M
bb0RywlP2UY6/P9qIk0W3AfI1UsVZUPcTduvo+/BKIR7s5M/m+VTa74lEMH5FHQ17QZ6
tAAKI/TYGl7YWG/+4Zj7n8hpjIhT7AahtjbASTwUxSv3pFet/9DMM9nrCXolR0+bsajy
nJzOnmg=
=kQK+
-----END PGP SIGNATURE-----
--
Discover hidden treasures! Click now for a new metal detector!
http://tagline.hushmail.com/fc/Ioyw6h4c5jwe35WKO72pIZH3J68Qr1p1BCzmhxGSAr9zTajkwjyaNq/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
