Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability
From: "Elazar Broad" <elazar () hushmail com>
Date: Tue, 29 Jul 2008 11:09:50 -0400



On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad 
<elazar () hushmail com> wrote:
Who:
Trend Micro
http://www.trendmicro.com

What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5

How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product through the web interface. One of these
controls, objRemoveCtrl, is vulnerable to a stack-based buffer
overflow when embedded in a webpage. The one caveat to this issue
is that the control must be embedded in such a way that it CAN be
visible, i.e. obj = new ActiveXObject() will not work. The issue
lies in the code that is used to display certain properties and
their values on the control when it is embedded in a page.

OfficeScanRemoveCtrl.dll, version 7.3.0.1020
{5EFE8CB1-D095-11D1-88FC-0080C859833B}
Commonly located: systemdrive\Windows\Downloaded Program Files
CAB location on server: officescan install
path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab


The following properties are vulnerable:

HttpBased
LatestPatternServer
LatestPatternURL
LocalServerPort
MasterDirectory
MoreFiles
PatternFilename
ProxyLogin
ProxyPassword
ProxyPort
ProxyServer
RegistryINIFilename
Server
ServerIniFile
ServerPort
ServerSubDir
ServiceDisplayName
ServiceFilename
ServiceName
ShellExtensionFilename
ShortcutFileList
ShortcutNameList
UninstallPassword
UnloadPassword
UseProxy

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/KB/240797

Fix:
As stated below, reportedly there are patches for this issue,
however, I have been able to exploit this issue in a test
environment running OfficeScan 7.3 patch 4(latest available 
patch).

Timeline:
06/27/2008 -> Vulnerability discovered and reported to iDefense
07/02/2008 <- Request for further information
07/16/2008 <- iDefense states that patches exist which resolve 
this
issue
07/16/2008 -> Request clarification regarding which patches 
resolve
this issue. No response
07/20/2008 -> Follow up regarding patches. No response
07/28/2008 - Disclosure

Another possible fix for this is to copy the RemoveCtrl.cab from 
8.0(you can download it from here 
http://www.trendmicro.com/download/product.asp?productid=5, as 
stated above, 8.x is not vulnerable since the control uses *_s 
functions as opposed to the standard C functions). The 8.0 critical 
patch B1242 has a copy of this CAB so you don't need to download 
the entire 8.0 package, and replace the one located in the 
ClientInstall folder on the OfficeScan server. I have not tested to 
see if this breaks web deployment or not.  

--
Get great prices on a huge selection of brand name silk ties. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: [Full-disclosure] Trend Micro OfficeScan ObjRemoveCtrl ActiveX Control Buffer Overflow Vulnerability Elazar Broad (Jul 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault