cbcvebase.
CVE-2008-1365
published 2008-03-17

CVE-2008-1365: Stack-based buffer overflow in Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows…

PriorityP355medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
51.11%
98.8th percentile
Stack-based buffer overflow in Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long encrypted password, which triggers the overflow in (1) cgiChkMasterPwd.exe, (2) policyserver.exe as reachable through cgiABLogon.exe, and other vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microofficescan_corporate_edition<= 7.3_patch3_build1314
trend_microofficescan_corporate_edition<= 8.0_patch2_build1189

Detection & IOCsextracted from sources · hover to see the quote

path/officescan/console/cgi/cgiChkMasterPwd.exe
port8080
cookieTMlogonEncrypted=!CRYPT!
filenamecgiChkMasterPwd.exe
filenamecgiABLogon.exe
processpolicyserver.exe
  • Detect POST requests to /officescan/console/cgi/cgiChkMasterPwd.exe containing the 'TMlogonEncrypted=!CRYPT!' prefix in the POST body, especially with payloads exceeding normal password length (overflow triggers at ~1016+ bytes).
  • Alert on POST requests to /officescan/console/cgi/cgiChkMasterPwd.exe on port 8080 with unusually large body content (>512 bytes), indicative of buffer overflow exploitation attempt.
  • Monitor for exploitation of cgiABLogon.exe as an entry point reaching policyserver.exe with an oversized encrypted password field.
  • The exploit payload is constrained to alphanumeric characters only (BadChars excludes non-alphanumeric); detection signatures can look for long alphanumeric-only POST bodies prefixed with '!CRYPT!'.
  • Return addresses used in the exploit target Windows 2000 with OfficeScan 7.3.0.1293: 0x63613035 and 0x63613032 (both alphanumeric-safe, located in loadhttp data section). Presence of these values in POST body is a strong indicator.
  • ·Affected versions are OfficeScan Corporate Edition 8.0 Patch 2 Build 1189 and earlier, and 7.3 Patch 3 Build 1314 and earlier. The Metasploit module specifically targets Windows 2000 with OfficeScan 7.3.0.1293; other OS/build combinations may require different return addresses.
  • ·The vulnerable CGI runs with SYSTEM privileges, meaning successful exploitation yields full system compromise. Detection/blocking at the web gateway layer is critical.
  • ·Other Trend Micro products beyond OfficeScan Corporate Edition may also be affected by this vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.