Trend Micro OfficeScan Buffer Overflow in ActiveX Control Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1020569|
SecurityTracker URL: http://securitytracker.com/id/1020569
(Links to External Site)
Updated: Aug 11 2008|
Original Entry Date: Jul 29 2008
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.0, 7.3, 8.0|
A vulnerability was reported in Trend Micro OfficeScan. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow in the objRemoveCtrl control and execute arbitrary code on the target system. The code will run with the privileges of the target user.
The CLSID of the vulnerable control is: 5EFE8CB1-D095-11D1-88FC-0080C859833B
The vendor notes that Trend Micro Worry-Free Business Security (WFBS) version 5.0 and Trend Micro Client Server Messaging Security (CSM) versions 3.5 and 3.6 are also affected.
Elazar Broad reported this vulnerability.
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.|
The vendor has issued a fix.|
The vendor's advisory is available at:
Vendor URL: esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1037899&id=EN-1037899 (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX|
-----BEGIN PGP SIGNED MESSAGE-----
OfficeScan 7.3 build 1343(Patch 4) and older
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.
OfficeScanRemoveCtrl.dll, version 18.104.22.1680
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
The following properties are vulnerable:
Set the killbit for the affected control. See
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available patch).
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve this
07/16/2008 -> Request clarification regarding which patches resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure
-----BEGIN PGP SIGNATURE-----
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Discover hidden treasures! Click now for a new metal detector!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/