Vulnerabilities > CVE-2006-5211 - Unspecified vulnerability in Trend Micro Officescan Corporate Edition 6.5/7.0/7.3

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
trend-micro
nessus
NVD
Published: 2006-10-10
Updated: 2011-03-08

Summary

Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for SMB 2.0 before 6.0.0.1385, and OfficeScan Corporate Edition (OSCE) 6.5 before 6.5.0.1418, 7.0 before 7.0.0.1257, and 7.3 before 7.3.0.1053 allow remote attackers to remove OfficeScan clients via a certain HTTP request that invokes the OfficeScan CGI program. A security patch for each affected product has been released by the vendor.

Vulnerable Configurations

Part Description Count
Application
Trend_Micro
3

Nessus

NASL familyCGI abuses
NASL idTRENDMICRO_OFFICESCAN_MULTIPLE.NASL
descriptionThe remote host appears to be running Trend Micro OfficeScan Server. This version of OfficeScan is vulnerable to multiple stack overflows in CGI programs that could allow a remote attacker to execute code in the context of the remote server. Note that OfficeScan server under Windows runs with SYSTEM privileges, which means an attacker can gain complete control of the affected host. In addition, there is a format string vulnerability in the
last seen2020-06-01
modified2020-06-02
plugin id22048
published2006-07-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/22048
titleTrend Micro OfficeScan 7.3 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(22048);
  script_version("1.31");
  script_cvs_date("Date: 2018/08/01 17:36:12");

  script_cve_id(
    "CVE-2006-5157", 
    "CVE-2006-5211", 
    "CVE-2006-5212", 
    "CVE-2006-6178", 
    "CVE-2006-6179"
   );
  script_bugtraq_id(20284, 20330, 21442);

  script_name(english:"Trend Micro OfficeScan 7.3 Multiple Vulnerabilities");
  script_summary(english:"Checks for OfficeScan stack overflows");
 
  script_set_attribute(attribute:"synopsis", value:"The remote web server is vulnerable to remote code execution.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running Trend Micro OfficeScan Server.

This version of OfficeScan is vulnerable to multiple stack overflows in
CGI programs that could allow a remote attacker to execute code in the
context of the remote server. 

Note that OfficeScan server under Windows runs with SYSTEM privileges,
which means an attacker can gain complete control of the affected host. 

In addition, there is a format string vulnerability in the
'ATXCONSOLE.OCX' ActiveX Control that could allow for remote code
execution via malicious input to the console's Remote Client Install
name search as well as flaws that might allow for removal of the
OfficeScan client or arbitrary files from the remote host.");
  script_set_attribute(attribute:"solution", value:"Trend Micro has released 2 patches for OfficeScan 7.3.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  # http://web.archive.org/web/20070813050236/http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1031753
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?45da9450");
  # http://web.archive.org/web/20070812151847/http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1031702
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?4805fbf2");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/06/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:trend_micro:officescan");
  script_end_attributes();
 
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
 
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}


include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

port = get_http_port(default:8080, embedded: 1);

res = http_send_recv3(method:"GET", port: port, exit_on_fail: 1,
                      item:"/officescan/console/remoteinstallcgi/cgiRemoteInstall.exe" );
if ("Internal+error+when+cgiRemoteInstall%2Eexe" >!< res[2]) exit(0);

res = http_send_recv3(method:"GET", port: port, exit_on_fail: 1,
                      item:"/officescan/console/remoteinstallcgi/cgiRemoteInstall.exe?domain=nessusnessusnessus&client=nessus&user=nessus&password=nessus&checkonly=true&filebase=test&action=1");
if ("Cannot+connect+to+nessus%2E" >< res[2])
   security_hole(port:port);

References