Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: TrendMicro OfficeScan tmlisten.exe DoS
From: Heiko.Herold () PREVINET IT (Herold Heiko)
Date: Mon, 28 Feb 2000 09:36:32 +0100


Does happen here, too. Same situation (version), just a simple telnet
with random data (a few bytes) is enough to crash the service.
Tmlisten.exe does crash usually when the telnet connection is closed, not
when you send the data.
Did test with NTws machines only.
Heiko

-- PREVINET S.p.A.            Heiko.Herold () previnet it
-- Via Marocchesa, 14         ph  x39-041-5494228
-- I-31021 Mogliano V.to (TV) fax x39-041-5492263
-- ITALY

-----Original Message-----
From: Jeff Stevens [SMTP:JStevens () UMEME MAINE EDU]
Sent: Friday, February 25, 2000 11:10 PM
To:   BUGTRAQ () SECURITYFOCUS COM
Subject:      TrendMicro OfficeScan tmlisten.exe DoS

While playing around with nmap I managed to pull down a bunch of our NT
workstations running OfficeScan.  This could potentially be used as a
DoS
attack to bring down any NT machine running OfficeScan.  I used the
following command where machine.domain.com is a Windows NT machine
running
either SP 4 or 5 or a Win2k RC3 box.

nmap -sT -O -p 12345 machine.domain.com

One of three things can happen:

      (1)     Nothing -- rare but it does happen.
      (2)     The machine slows to a halt as tmlisten.exe pulls 100%
CPU.
      (3)     Visual C++ error as tmlisten.exe crashes.

OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running on
the
target machine.  (all current)

I can also make the process dump with a Visual C++ error if I send a
bunch
of data via telnet.

Upon contacting Trend via phone, they said they were aware of a similar
problem with earlier versions but version 3.5 has been fixed.  They are
looking into it.

Curious if anyone else can recreate this?  Or give me a set of
addresses and
I'll see if I can!  :^)

Jeff Stevens
Network Administrator
Civil/Mechanical Engineering
5711 Boardman Hall, Room 17
Orono, ME 04469
(207) 581-2140


  By Date           By Thread  

Current thread:
  • Re: TrendMicro OfficeScan tmlisten.exe DoS Herold Heiko (Feb 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault