[14047] in bugtraq
TrendMicro OfficeScan tmlisten.exe DoS
daemon@ATHENA.MIT.EDU (Jeff Stevens)
Sun Feb 27 23:28:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <9966DB1E6AC1D31192F90000F8219F97159E@genie.umeme.maine.edu>
Date: Fri, 25 Feb 2000 17:10:17 -0500
Reply-To: Jeff Stevens <JStevens@UMEME.MAINE.EDU>
From: Jeff Stevens <JStevens@UMEME.MAINE.EDU>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
While playing around with nmap I managed to pull down a bunch of our NT
workstations running OfficeScan. This could potentially be used as a DoS
attack to bring down any NT machine running OfficeScan. I used the
following command where machine.domain.com is a Windows NT machine running
either SP 4 or 5 or a Win2k RC3 box.
nmap -sT -O -p 12345 machine.domain.com
One of three things can happen:
(1) Nothing -- rare but it does happen.
(2) The machine slows to a halt as tmlisten.exe pulls 100% CPU.
(3) Visual C++ error as tmlisten.exe crashes.
OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running on the
target machine. (all current)
I can also make the process dump with a Visual C++ error if I send a bunch
of data via telnet.
Upon contacting Trend via phone, they said they were aware of a similar
problem with earlier versions but version 3.5 has been fixed. They are
looking into it.
Curious if anyone else can recreate this? Or give me a set of addresses and
I'll see if I can! :^)
Jeff Stevens
Network Administrator
Civil/Mechanical Engineering
5711 Boardman Hall, Room 17
Orono, ME 04469
(207) 581-2140
