Bugtraqmailing list archives

By Date

By Thread

Re: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack

Hi,If it doesn't have a client application cert, indeed it's avulnerability. If someone arppoison (well any MiM techniques thatcould redirect the traffic to pass through you) could portredirect andhandle the ssl connection. And sniff it son it's not enough just ssl.Could be done with stunnel, maybe? ;)

We thank you for pointing out this to us and we are grateful that ourproducts are "checked" for security issues! We can sometime like in thiscase just assume that all think of security issues but the truth is thatIT personal have more than security to think about. So things like thisare constantly missed!

I've tested officescan (last version)....weak registry permitions.ie:HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\ ->NoPwdProtect = 1(will enable to unload without pass, as your product doen't applypermission on these reg keys)I remember old versions weak pccsrv sharing permitions (default permission,everyone fullcontrol I mean, comes to mind...infecting autopcc ?).Does it still the same?Cheers,   shadownOn Thu, 13 Jan 2005 13:06:31 -0800,Hammud_Saway () premium trendmicro com<Hammud_Saway () premium trendmicro com> wrote:

Dear Bugtraq,Here is Trend Micro's reply to this claimThis kind of sniffing and "hijacking" of login could be done to almostall ordinary installed http products with login procedure.Since we offer a way to install it with HTTPS(SSL) and making login andcommunicating with the server secure, we have a internal discussionabout if we should call this a "Vulnerability" or not.We have made the R&D promise that next version will be with the questionin the installation program for installing SSL support.On the other hand this product should be installed by IT professionals.And it should be obvious to them that IIS in http mode is not securityenough.We thank you for pointing out this to us and we are grateful that ourproducts are "checked" for security issues! We can sometime like in thiscase just assume that all think of security issues but the truth is thatIT personal have more than security to think about. So things like thisare constantly missed!Here is a link on how to enable HTTPS support for Trend Micro ControlManagerhttp://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionId=21306Thanks,Hammud SawayTrend MicroGlobal Director of Premium Services

From: "CIRT Advisory" <advisory () cirt dk>To: <bugtraq () securityfocus com>Subject: Trend Micro Control Manager - Enterprise Edition 3.0 Webapplication Replay attackDate: Thu, 13 Jan 2005 19:45:53 +0100X-Mailer: Microsoft Outlook, Build 10.0.6626The web application are vulnerable to a replay attack, meaning that the

username and password are encrypted but there are not used any form oftimestamp to make this mechanism more advanced and secure.If it is possible to sniff the traffic when a user login to theadministrative interface, it is possible to replay this sequence andget a valid login session, with the rights of the user.Vendors response to this was, it is a feature not a vulnerability andall the others also have this problem.Read the full advisory athttp://www.cirt.dk/advisories/cirt-28-advisory.pdf----------------------------------------------------------------------Danish Incident Response Teamhttp://www.cirt.dk----------------------------------------------------------------------

--AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, GermanyPhone: +49 (0)391 6075466, <http://www.av-test.org>TREND MICRO EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

-- Sergio AlvarezSecurity, Research & DevelopmentIT Security Consultantemail: shadown () gmail comThis message is confidential. It may also contain information that isprivileged or otherwise legally exempt from disclosure. If you havereceived it by mistake please let us know by e-mail immediately anddelete it from your system; should also not copy the message nordisclose its contents to anyone. Many thanks.

By Date

By Thread

Current thread:

• Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attackCIRT Advisory (Jan 13)
  • <Possible follow-ups>
  • Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attackHammud_Saway (Jan 13)
    • Re: Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attackshadown (Jan 14)