Vulnerabilities > CVE-2001-1151 - Unspecified vulnerability in Trend Micro Officescan and Virus Buster

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
trend-micro
nessus
NVD
Published: 2001-10-15
Updated: 2024-11-20

Summary

Trend Micro OfficeScan Corporate Edition (aka Virus Buster) 3.53 allows remote attackers to access sensitive information from the hotdownload directory without authentication, such as the ofcscan.ini configuration file, which contains a weakly encrypted password.

Vulnerable Configurations

Part Description Count
Application
Trend_Micro
2

Nessus

NASL familyCGI abuses
NASL idOFFICESCAN_DISCLOSURE.NASL
descriptionThe remote Trend Micro OfficeScan Corporate Edition (Japanese version: Virus Buster Corporate Edition) web-based management console allows unauthenticated access to files under
last seen2020-03-18
modified2002-08-14
plugin id11074
published2002-08-14
reporterThis script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11074
titleTrend Micro OfficeScan ofcscan.ini Configuration File Disclosure
code
#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <[email protected]>
#      Added BugtraqID

# References :
# Date:  Tue, 16 Oct 2001 11:34:56 +0900
# From: "[email protected]" <[email protected]>
# To: [email protected]
# Subject: [SNS Advisory No.44] Trend Micro OfficeScan Corporate Edition
# (Virus Buster Corporate Edition) Configuration File Disclosure Vulnerability
#

include("compat.inc");

if (description)
{
 script_id(11074);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");

 script_cve_id("CVE-2001-1151");
 script_bugtraq_id(3438);

 script_name(english:"Trend Micro OfficeScan ofcscan.ini Configuration File Disclosure");
 script_summary(english:"Checks for the presence of /officescan/hotdownload/ofscan.ini");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by an information
disclosure vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote Trend Micro OfficeScan Corporate Edition (Japanese version:
Virus Buster Corporate Edition) web-based management console allows
unauthenticated access to files under '/officescan/hotdownload'.

Reading the configuration file 'ofcscan.ini' under that location will
reveal information about the target. For example, it contains
passwords that are encrypted using a weak algorithm.");
 # https://web.archive.org/web/20011223111241/http://www.lac.co.jp/security/english/snsadv_e/44_e.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f8bdd721");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Oct/102");
 script_set_attribute(attribute:"solution", value:"Contact the vendor for a fix.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-1151");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/10/16");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/14");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_family(english:"CGI abuses");

 script_copyright(english:"This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_dependencies("http_version.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);

dir = '/officescan/hotdownload';
file = 'ofscan.ini';
url = dir + '/' + file;

res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);

hdrs = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(hdrs['$code'])) code = 0;
else code = hdrs['$code'];

req = http_last_sent_request();

if (code == 200)
{
  res2 = http_send_recv3(method:"GET", item:dir+'/nessus.ini', port:port, exit_on_fail:TRUE);
  hdrs2 = parse_http_headers(status_line:res2[0], headers:res2[1]);
  if (isnull(hdrs2['$code'])) code2 = 0;
  else code2 = hdrs2['$code'];

  if (code2 == 200 || strlen(res2[2])) exit(0, "The web server listening on port "+port+" responded to a request for 'nessus.ini'.");

  report = NULL;
  attach_file = NULL;
  output = NULL;
  request = NULL;

  if (report_verbosity > 0)
  {
    report =
      '\n' + "Nessus was able to obtain the contents of '" + file + "' with the" +
      '\n' + 'following request :' +
      '\n' +
      '\n  ' + req +
      '\n';

    if (report_verbosity > 1)
    {
      output = data_protection::sanitize_user_full_redaction(output:res[2]);
      attach_file = file;
      request = make_list(req);
    }
  }

  security_report_v4(port:port,
                     extra:report,
                     severity:SECURITY_WARNING,
                     request:request,
                     file:attach_file,
                     output:output);

  exit(0);
}
else exit(0, "The web server listening on port "+port+" is not affected.");

References