Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:PKG:OFFICESCAN-JDKRQNOTIFY

Severity

 High

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Trend Micro OfficeScan jdkRqNotify


This signature detects attempts to exploit a known vulnerability against Officescan Management Server. Because the server does not have a session concept, it allows direct navigation to scripts that are normally available only after authentication. Attackers on the corporate network, using a remote configuration script, can perform administrative tasks without prior authentication.

Extended Description

Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, the administrator is given the capability to manage the OfficeScan network through an HTML interface. This can be accessed by requesting the authentication form which is located at http: //target/officescan/. It prompts the user for the admin password, however it is transmitted in plaintext which can be intercepted by any user on the network running a packet sniffer specifically searching for the string "TMLogon=<password>". A larger problem exists in that any user with access to the web server is able to perform administrative functions without any sort of authorization simply by requesting specific URLs. This is accomplished by requesting certain CGI files such as jdkRqNotify.exe. A request for jdkRqNotify.exe in conjunction with a domain name on the network and an administrative event code number would allow any user on the network to perform certain administrative duties. eg. http://target/officescan/cgi/jdkRqNotify.exe?domain=<domain name>&event=<event code number> Examples of event code numbers are: 11: Scan now 12: Uninstall 14: Roll back 15: New alert message 16: New intranet proxy 17: New privilege 18: New protocol 19: New password 20: New client These OfficeScan vulnerabilities only exist on a Microsoft NT Server machine running Microsoft IIS. OfficeScan running on Novell Netware servers are not vulnerable.

Affected Products

  • Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.0.0
  • Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.11.0
  • Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.13.0
  • Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.5.0
  • Trend Micro OfficeScan For Microsoft SBS 4.5.0

References

  • BugTraq: 1057
  • URL: http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=13353

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out