Trend officescan clients not updating
I monitored the client-server communication for quite some time and I realized that after issuing a configuration change at the server, a special HTTP request is sent from the server to the TCP/61832 port of the client.This is a simple GET request in the form of: As you can see, this algorithm is basically a simple polyalphabetic cipher (similar to the Vigenere cipher), that I could easily recreate independently from the original library: after running a quick loop that encrypted 1KB strings of all printable characters (1024 times ‘A’, 1024 times ‘B’, etc.), I had a database that could be used to encrypt and decrypt virtually anything.I recently installed patch patch 11.1 (1639) on my Office Scan Server, all my 32 Bit clients updated automatically to the new version. PS: Does anybody know future plans regarding the official TM forum (since there isn't one anymore)?
ID 201 seemed particularly interesting, here’s part of the server’s answer: HTTP/1.1 200 OK Date: Wed, GMT Server: Apache Content-Length: 2296 Connection: close Content-Type: application/octet-stream [INI_CRITICAL_SECTION] Master_Domain Name=192.168.124.134 Master_Domain Port=8080 Use Proxy=0 Proxy_IP= Proxy_Port= Proxy_Login= Proxy_Pwd= Intranet_Proxy_Socks=0 Intranet_No Proxy Cache=0 HTTP_Expired_Day=30 Service Pack_Version=0 Licensed_User Name= Uninstall_Pwd=! 5231C05389DD886C99EA4646653498C2DB98EFD6EF61BD4907B2BD97E4ACDAED73AEE46B44AACBC450915317269 Unload_Pwd=! Actually, the clients can be unloaded or uninstalled only after providing a special password (a SYSTEM level service is responsible for protecting the main processes of the application from killing or debugging), this is what we see encoded in these fields. The Office Scan program directory contains a file called : The naming is not coincidential: this subroutine references two strings wich definitely look like hardcoded passwords: After a quick Google search (Protip: always google strings like these, you can save yourself lots of time by not recreating public results) one can find this post by Luigi Auriemma, that descreibes that this function is used to decrypt the above configuration parameters and in this case return the MD5 hashes of the uninstall/unload passwords.
From exploitation standpoint this is bad, since you can’t really guess this value, but if we strengthen our attacker model a bit we can find some realistic vectors, since: So for the sake of this writeup let’s assume that we know this GUID – what can we achieve with the notification messages?