发布时间 :2000-02-28 00:00:00
修订时间 :2008-09-10 15:03:17

[原文]The Trend Micro OfficeScan client allows remote attackers to cause a denial of service by making 5 connections to port 12345, which raises CPU utilization to 100%.

[CNNVD]Trend Micro OfficeScan远程拒绝服务攻击漏洞(CNNVD-200002-082)

        Trend Micro OfficeScan是一种针对整个网段的分布式反病毒软件。安装过程中会提示是否采用WEB管理方式。如果选择采用WEB管理方式,OfficeScan客户端将侦听12345/TCP端口,用于定期接收病毒数据库更新或者来自OfficeScan管理端的命令。
        远程攻击者有好几种办法对Trend Micro OfficeScan进行拒绝服务攻击。
        向12345/TCP发送随机数据,tmlisten.exe的CPU占用率将高达100%,并引发一个Visual C++错误,最终导致机器崩溃。
        04: 远程卸载OfficeScan客户端
        06: 开始扫描
        07: 停止扫描

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20000315 Trend Micro release patch for "OfficeScan DoS & Message Replay" V ulnerabilies
(UNKNOWN)  BID  1013
(UNKNOWN)  BUGTRAQ  20000226 DOS in Trendmicro OfficeScan

- 漏洞信息

Trend Micro OfficeScan远程拒绝服务攻击漏洞
中危 其他
2000-02-28 00:00:00 2005-10-20 00:00:00
        Trend Micro OfficeScan是一种针对整个网段的分布式反病毒软件。安装过程中会提示是否采用WEB管理方式。如果选择采用WEB管理方式,OfficeScan客户端将侦听12345/TCP端口,用于定期接收病毒数据库更新或者来自OfficeScan管理端的命令。
        远程攻击者有好几种办法对Trend Micro OfficeScan进行拒绝服务攻击。
        向12345/TCP发送随机数据,tmlisten.exe的CPU占用率将高达100%,并引发一个Visual C++错误,最终导致机器崩溃。
        04: 远程卸载OfficeScan客户端
        06: 开始扫描
        07: 停止扫描

- 公告与补丁

        Trend Micro

        Trend Micro OfficeScan Corporate Edition 3.0:
         Trend Micro Patch OfficeScan 3.0
         OfficeScan 3.0用户必须首先升级至OfficeScan 3.11,然后再打OfficeScan 3.13补丁。
         Trend Micro Upgrade OfficeScan 3.0
         OfficeScan 3.0用户为了打OfficeScan 3.13补丁必须先安装该软件包
        Trend Micro OfficeScan Corporate Edition 3.5:
         Trend Micro Patch OfficeScan 3.5
        Trend Micro OfficeScan Corporate Edition 3.11:
         Trend Micro Patch OfficeScan 3.11
         该补丁包将OfficeScan 3.11升级至OfficeScan 3.13
        Trend Micro OfficeScan Corporate Edition 3.13:
         Trend Micro Patch OfficeScan 3.13 Patch

- 漏洞信息 (19780)

Trend Micro OfficeScan Corporate Edition 3.0/3.5/3.11/3.13 DoS Vulnerabilities (EDBID:19780)
multiple remote
2000-02-26 Verified
0 Jeff Stevens
N/A [点击下载]

Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. 

There are several ways for an attacker to cause various denial of service conditions.

Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine.

Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine.

It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345.

It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including:

04: full uninstallation of the OfficeScan client
06: launch a scan
07: stop a scan

The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour.

If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the config files to restrict the file types scanned, (for example: setting the client to only scan .txt files) or to restrict the types of drives scanned (for example: disabling scanning on removable, fixed, and CD-ROM drives). It is also possible to cause the client to move any infected files to any location on the local machine.

It should also be noted that some intrusion detection systems may detect attacks against port 12345 as Back Orifice attempts, which has the potential to conceal the nature of these attacks.

cgiRqCfg.exe provides to the client configuration settings which will disable scanning on all removable, fixed, and CDrom drives, and further will disable scanning for all files except those with the extension "YES IT's P0SS1bl3!"

cgiOnStart.exe will need to be put on the attacking webserver as the client expects it.

this script will replay the request to the client, and may be launched from any machine. Modify for your installation and desired client response.

sleep 2
echo "GET/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt

Trend Micro Officescan Denial of Service ( was contributed by Marc Ruef <>. This tool is a pre-compiled Windows binary with Visual Basic source.		

- 漏洞信息

Trend Micro OfficeScan TCP Connection DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-02-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete