CVE-2008-1365
published 2008-03-17CVE-2008-1365: Stack-based buffer overflow in Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows…
PriorityP355medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
51.11%
98.8th percentile
Stack-based buffer overflow in Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long encrypted password, which triggers the overflow in (1) cgiChkMasterPwd.exe, (2) policyserver.exe as reachable through cgiABLogon.exe, and other vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | officescan_corporate_edition | <= 7.3_patch3_build1314 | — |
| trend_micro | officescan_corporate_edition | <= 8.0_patch2_build1189 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /officescan/console/cgi/cgiChkMasterPwd.exe containing the 'TMlogonEncrypted=!CRYPT!' prefix in the POST body, especially with payloads exceeding normal password length (overflow triggers at ~1016+ bytes). ↗
- →Alert on POST requests to /officescan/console/cgi/cgiChkMasterPwd.exe on port 8080 with unusually large body content (>512 bytes), indicative of buffer overflow exploitation attempt. ↗
- →Monitor for exploitation of cgiABLogon.exe as an entry point reaching policyserver.exe with an oversized encrypted password field. ↗
- →The exploit payload is constrained to alphanumeric characters only (BadChars excludes non-alphanumeric); detection signatures can look for long alphanumeric-only POST bodies prefixed with '!CRYPT!'. ↗
- →Return addresses used in the exploit target Windows 2000 with OfficeScan 7.3.0.1293: 0x63613035 and 0x63613032 (both alphanumeric-safe, located in loadhttp data section). Presence of these values in POST body is a strong indicator. ↗
- ·Affected versions are OfficeScan Corporate Edition 8.0 Patch 2 Build 1189 and earlier, and 7.3 Patch 3 Build 1314 and earlier. The Metasploit module specifically targets Windows 2000 with OfficeScan 7.3.0.1293; other OS/build combinations may require different return addresses. ↗
- ·The vulnerable CGI runs with SYSTEM privileges, meaning successful exploitation yields full system compromise. Detection/blocking at the web gateway layer is critical. ↗
- ·Other Trend Micro products beyond OfficeScan Corporate Edition may also be affected by this vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-1365 Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit)
Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: trendmicro_officescan.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'metasm'
class Metasploit3 'Trend Micro OfficeScan Remote Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Trend Micro OfficeScan
cgiChkMasterPwd.exe (running with SYSTEM privileges).
},
'Author' => [ 'toto' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2008-1365' ],
[ 'OSVDB', '
Exploit-DB
Trend Micro OfficeScan - Buffer Overflow (Denial of Service) (PoC)
exploitdb·2008-02-27
CVE-2008-1365 Trend Micro OfficeScan - Buffer Overflow (Denial of Service) (PoC)
Trend Micro OfficeScan - Buffer Overflow (Denial of Service) (PoC)
---
source: https://www.securityfocus.com/bid/28020/info
Trend Micro OfficeScan Corporate Edition is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
Successful exploits may allow an attacker to execute arbitrary code with privileges of the user running the application. This may facilitate a complete compromise of vulnerable computers. Failed exploit attempts will likely result in denial-of-service conditions.
These issues affect the following:
OfficeScan Corporate Edition 8.0 Patch 2 Build 1189 and earlier
OfficeScan Corporate Edition 7.0 Patch 3 Build 1
Metasploit
Trend Micro OfficeScan Remote Stack Buffer Overflow
metasploit
Trend Micro OfficeScan Remote Stack Buffer Overflow
Trend Micro OfficeScan Remote Stack Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan cgiChkMasterPwd.exe (running with SYSTEM privileges).
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/officescaz-adv.txthttp://secunia.com/advisories/29124http://www.securityfocus.com/bid/28020http://www.securitytracker.com/id?1019523http://www.vupen.com/english/advisories/2008/0702http://aluigi.altervista.org/adv/officescaz-adv.txthttp://secunia.com/advisories/29124http://www.securityfocus.com/bid/28020http://www.securitytracker.com/id?1019523http://www.vupen.com/english/advisories/2008/0702
2008-03-17
Published