mailing list archives
Re: TrendMicro OfficeScan tmlisten.exe DoS
From: Heiko.Herold () PREVINET IT (Herold Heiko)
Date: Mon, 28 Feb 2000 09:36:32 +0100
Does happen here, too. Same situation (version), just a simple telnet
with random data (a few bytes) is enough to crash the service.
Tmlisten.exe does crash usually when the telnet connection is closed, not
when you send the data.
Did test with NTws machines only.
-- PREVINET S.p.A. Heiko.Herold () previnet it
-- Via Marocchesa, 14 ph x39-041-5494228
-- I-31021 Mogliano V.to (TV) fax x39-041-5492263
From: Jeff Stevens [SMTP:JStevens () UMEME MAINE EDU]
Sent: Friday, February 25, 2000 11:10 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: TrendMicro OfficeScan tmlisten.exe DoS
While playing around with nmap I managed to pull down a bunch of our NT
workstations running OfficeScan. This could potentially be used as a
attack to bring down any NT machine running OfficeScan. I used the
following command where machine.domain.com is a Windows NT machine
either SP 4 or 5 or a Win2k RC3 box.
nmap -sT -O -p 12345 machine.domain.com
One of three things can happen:
(1) Nothing -- rare but it does happen.
(2) The machine slows to a halt as tmlisten.exe pulls 100%
(3) Visual C++ error as tmlisten.exe crashes.
OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running on
target machine. (all current)
I can also make the process dump with a Visual C++ error if I send a
of data via telnet.
Upon contacting Trend via phone, they said they were aware of a similar
problem with earlier versions but version 3.5 has been fixed. They are
looking into it.
Curious if anyone else can recreate this? Or give me a set of
I'll see if I can! :^)
5711 Boardman Hall, Room 17
Orono, ME 04469
- Re: TrendMicro OfficeScan tmlisten.exe DoS Herold Heiko (Feb 28)