On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad <[EMAIL PROTECTED]> wrote: >Who: >Trend Micro >http://www.trendmicro.com > >What: >OfficeScan 7.3 build 1343(Patch 4) and older >http://www.trendmicro.com/download/product.asp?productid=5 > >How: >OfficeScan's Web Console utilizes several ActiveX controls when >deploying the product through the web interface. One of these >controls, objRemoveCtrl, is vulnerable to a stack-based buffer >overflow when embedded in a webpage. The one caveat to this issue >is that the control must be embedded in such a way that it CAN be >visible, i.e. obj = new ActiveXObject() will not work. The issue >lies in the code that is used to display certain properties and >their values on the control when it is embedded in a page. > >OfficeScanRemoveCtrl.dll, version 7.3.0.1020 >{5EFE8CB1-D095-11D1-88FC-0080C859833B} >Commonly located: systemdrive\Windows\Downloaded Program Files >CAB location on server: officescan install >path\OfficeScan\PCCSRV\Web_console\ClientInstall\RemoveCtrl.cab > > >The following properties are vulnerable: > >HttpBased >LatestPatternServer >LatestPatternURL >LocalServerPort >MasterDirectory >MoreFiles >PatternFilename >ProxyLogin >ProxyPassword >ProxyPort >ProxyServer >RegistryINIFilename >Server >ServerIniFile >ServerPort >ServerSubDir >ServiceDisplayName >ServiceFilename >ServiceName >ShellExtensionFilename >ShortcutFileList >ShortcutNameList >UninstallPassword >UnloadPassword >UseProxy > >Workaround: >Set the killbit for the affected control. See >http://support.microsoft.com/KB/240797 > >Fix: >As stated below, reportedly there are patches for this issue, >however, I have been able to exploit this issue in a test >environment running OfficeScan 7.3 patch 4(latest available >patch). > >Timeline: >06/27/2008 -> Vulnerability discovered and reported to iDefense >07/02/2008 <- Request for further information >07/16/2008 <- iDefense states that patches exist which resolve >this >issue >07/16/2008 -> Request clarification regarding which patches >resolve >this issue. No response >07/20/2008 -> Follow up regarding patches. No response >07/28/2008 - Disclosure
Another possible fix for this is to copy the RemoveCtrl.cab from 8.0(you can download it from here http://www.trendmicro.com/download/product.asp?productid=5, as stated above, 8.x is not vulnerable since the control uses *_s functions as opposed to the standard C functions). The 8.0 critical patch B1242 has a copy of this CAB so you don't need to download the entire 8.0 package, and replace the one located in the ClientInstall folder on the OfficeScan server. I have not tested to see if this breaks web deployment or not. -- Get great prices on a huge selection of brand name silk ties. Click now! http://tagline.hushmail.com/fc/Ioyw6h4c1tQMG4FLeNJMaojFoAHna7mAn0iAWWKYagfAe4eOcH0JL6/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
