Short Name |
HTTP:PKG:OFFICESCAN-JDKRQNOTIFY |
---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
This signature detects attempts to exploit a known vulnerability against Officescan Management Server. Because the server does not have a session concept, it allows direct navigation to scripts that are normally available only after authentication. Attackers on the corporate network, using a remote configuration script, can perform administrative tasks without prior authentication.
Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, the administrator is given the capability to manage the OfficeScan network through an HTML interface. This can be accessed by requesting the authentication form which is located at http: //target/officescan/. It prompts the user for the admin password, however it is transmitted in plaintext which can be intercepted by any user on the network running a packet sniffer specifically searching for the string "TMLogon=<password>". A larger problem exists in that any user with access to the web server is able to perform administrative functions without any sort of authorization simply by requesting specific URLs. This is accomplished by requesting certain CGI files such as jdkRqNotify.exe. A request for jdkRqNotify.exe in conjunction with a domain name on the network and an administrative event code number would allow any user on the network to perform certain administrative duties. eg. http://target/officescan/cgi/jdkRqNotify.exe?domain=<domain name>&event=<event code number> Examples of event code numbers are: 11: Scan now 12: Uninstall 14: Roll back 15: New alert message 16: New intranet proxy 17: New privilege 18: New protocol 19: New password 20: New client These OfficeScan vulnerabilities only exist on a Microsoft NT Server machine running Microsoft IIS. OfficeScan running on Novell Netware servers are not vulnerable.