Trend officescan clients not updating validating rapid micro methods

I put together a small Mit Mproxy script for this task: Still, my evil plan didn’t work, what could have gone wrong?

Although the executables of OSCE are stripped from debug information, the developers left many debug strings in the programs which are usually used through different “logger” functions.

I could later use this database to construct my exploit without the original binaries or lots of reverse engineering.

Back to the original problem, let’s decrypt the hex string already: SEQ=80&DELAY=0&USEPROXY=0&PROXY=&PROXYPORT=0&PROXYLOGIN=&PROXYPWD=&SERVER= NT_Version=10.6&Pcc95_Version=10.6&Engine NT_Version=9.700.1001&Engine95_Version=&ptch Hotfix Date=20131228153813&PTNFILE=1050100&ROLLBACK=1050100&MESSAGE=20&TIME=201312281648170406&DIRECT_UPDATE=1&IP=60d9f344c3a3868f909a6ae787e9d183&NT_ENGINE_ROLLBACK=9.700.1001&95_ENGINE_ROLLBACK=&TSCPTN_VERSION=1348&TSCENG_VERSION=7.1.1044&SPYWARE=0&CTA=2.1.103&CFWENG_VERSION=5.82.1050&CFWPTN_VERSION=10333&DCSSPYPTN_VERSION=222&VAPTN_VERSION=&ITRAP_WHITE_VERSION=93900&ITRAP_BLACK_VERSION=17100&VSAPI2ENG_VERSION=&VSAPI2PTN_VERSION=&SSAPIENG_VERSION=6.2.3030&SSAPIVSTENG_VERSION=&SSAPIPTN_VERSION=1469&SSAPITMASSAPTN_VERSION=146900&ROOTKITMODULE_VERSION=2.95.1170&Release IPList=&NVW300_VERSION=&Cleaned IPList=&NON_CRC_PATTERN_ROLLBACK=1050100&NON_CRC_PATTERN_VERSION=1050100&SETTING_SEQUENCE=0160670003&INDIVIDUAL_SETTING=1 The purpose of this message is to notify the clients that there are new configuration parameters to be applied.

Optionally initiate Scan Now (manual scan) on client computers after the update.

If the Office Scan server is unable to successfully send an update notification to clients after it downloads components, it automatically resends the notification after 15 minutes.

) parameter, that is the GUID of the client generated at install time.

From exploitation standpoint this is bad, since you can’t really guess this value, but if we strengthen our attacker model a bit we can find some realistic vectors, since: So for the sake of this writeup let’s assume that we know this GUID – what can we achieve with the notification messages?

It is obvious that we can set our own address as the servers or act as a proxy by setting the appropriate parameters in the initial notification message.

If we set up some higher version numbers in the notification we can also trigger the update process of the software, and we can set our own host as a server or a proxy effectively gaining man-in-the-middle position.

From this point the most obvious way to gain control over the client is to hijack the update process and let the client download and execute a malicious binary as part of the update.

Leave a Reply