Trend micro roaming mode not updating
We run Trend Micro Officescan on the rest of our network and want to use Officescan on these servers too. But what is the point if you don't update the definitions.
We want completely aoutonomous instances of Officescan where the clients do not need to contact an Officescan server for configuration updates or pattern file / scan engine updates. In the DMZ the Office Scan client will run and will typically show "red" unless you allow it to contact the update server.
Learn more about our newest service included in Total Security Suite today!
Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.
MD5 can be effectively brute-forced, so this is definitely bad, not to mention that the proxy password can be retrieved in plain text.
But this is not really high impact, so I dug further.
I started to monitor the network connections of the clients and found some interesting interfaces, one of these looked like this: POST /officescan/cgi/isapi HTTP/1.1 User-Agent: 11111111111111111111111111111111 Accept: */* Host: 192.168.124.180 Content-Type: application/x-www-form-urlencoded Content-Length: 96 Proxy-Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache Connection: close Request ID=123&Function Type=0&UID=11111111-2222-3333-4444-555555555555&RELEASE=10.6&chk Database=1 The Request ID parameters were the same, but I quickly loaded the request to Burp Intruder and tried to brute-force other valid identifiers. 5231C05389DD886C99EA4646653498C2DB98EFD6EF61BD4907B2BD97E4ACDAED73AEE46B44AACBC450915317269 (...) which are (seemingly) encrypted, indicating that these params are something to protect.
When I right click and select "Update Now" it attempts to connect and I receive the following error: "Unable to connect to the server.
Step 6Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_ALINA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required.
You may opt to simply delete the quarantined files.
As such, they are not trivial to fix or even decide if they are in fact vulnerabilities.
This publication comes after months of discussion with the vendor in accordance with the disclosure policy of the HP Zero Day Initiative.