ID 201 seemed particularly interesting, here’s part of the server’s answer: HTTP/1.1 200 OK The RequestID parameters were the same, but I quickly loaded the request to Burp Intruder and tried to brute-force other valid identifiers. I started to monitor the network connections of the clients and found some interesting interfaces, one of these looked like this: POST /officescan/cgi/isapiClient.dll HTTP/1.1 I assumed that there must be some kind of connection between the server and the clients so the clients can obtain new updates and configuration parameters. I focused my research on the clients as these are widely deployed on a typical network. This publication comes after months of discussion with the vendor in accordance with the disclosure policy of the HP Zero Day Initiative. As such, they are not trivial to fix or even decide if they are in fact vulnerabilities. The issues are logic and/or cryptographic flaws, not standard memory corruption issues. Now I would like to share a series of little issues which can be chained together to achieve remote code execution.
TREND MICRO OFFICESCAN INSTALL
The clients install ActiveX controls into Internet ExplorerĪnd there are possibly many other fragile parts of the system.
TREND MICRO OFFICESCAN SOFTWARE
After installing a trial version (10.6 SP1) I could already tell that this software will worth the effort: Since this software looked quite complex (big attack surface) I decided to take a closer look at it. Earlier this year I stumbled upon the OfficeScan security suite by Trend Micro, a probably lesser known host protection solution (AV) still used at some interesting networks. Analyzing the security of security software is one of my favorite research areas: it is always ironic to see software originally meant to protect your systems open a gaping door for the attackers.
0 kommentar(er)
