SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Security)  >   Trend Micro OfficeScan Vendors:   Trend Micro
Trend Micro OfficeScan Buffer Overflow in ActiveX Control Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020569
SecurityTracker URL:  http://securitytracker.com/id/1020569
CVE Reference:   CVE-2008-3364   (Links to External Site)
Updated:  Aug 11 2008
Original Entry Date:  Jul 29 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0, 7.3, 8.0
Description:   A vulnerability was reported in Trend Micro OfficeScan. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in the objRemoveCtrl control and execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSID of the vulnerable control is: 5EFE8CB1-D095-11D1-88FC-0080C859833B

The vendor notes that Trend Micro Worry-Free Business Security (WFBS) version 5.0 and Trend Micro Client Server Messaging Security (CSM) versions 3.5 and 3.6 are also affected.

Elazar Broad reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fix.

The vendor's advisory is available at:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899

Vendor URL:  esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Trend Micro
http://www.trendmicro.com

What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5

How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.

OfficeScanRemoveCtrl.dll, version 7.3.0.1020
{5EFE8CB1-D095-11D1-88FC-0080C859833B}
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab


The following properties are vulnerable:

HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/KB/240797

Fix:
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available patch).

Timeline:
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve this
issue
07/16/2008 -> Request clarification regarding which patches resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkiN/hsACgkQi04xwClgpZiTrQP+M9MX2MgvLk+HaMgmYghBRQaTG89M
bb0RywlP2UY6/P9qIk0W3AfI1UsVZUPcTduvo+/BKIR7s5M/m+VTa74lEMH5FHQ17QZ6
tAAKI/TYGl7YWG/+4Zj7n8hpjIhT7AahtjbASTwUxSv3pFet/9DMM9nrCXolR0+bsajy
nJzOnmg=
=kQK+
-----END PGP SIGNATURE-----

--
Discover hidden treasures! Click now for a new metal detector!
http://tagline.hushmail.com/fc/Ioyw6h4c5jwe35WKO72pIZH3J68Qr1p1BCzmhxGSAr9zTajkwjyaNq/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC