<<< Date Index >>>     <<< Thread Index >>>

Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack



Dear Bugtraq,

Here is Trend Micro's reply to this claim

This kind of sniffing and "hijacking" of login could be done to almost
all ordinary installed http products with login procedure.
Since we offer a way to install it with HTTPS(SSL) and making login and
communicating with the server secure, we have a internal discussion
about if we should call this a "Vulnerability" or not.
We have made the R&D promise that next version will be with the question
in the installation program for installing SSL support.
On the other hand this product should be installed by IT professionals.
And it should be obvious to them that IIS in http mode is not security
enough.
We thank you for pointing out this to us and we are grateful that our
products are "checked" for security issues! We can sometime like in this
case just assume that all think of security issues but the truth is that
IT personal have more than security to think about. So things like this
are constantly missed!

Here is a link on how to enable HTTPS support for Trend Micro Control
Manager
http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp
?solutionId=21306

Thanks,
Hammud Saway

Trend Micro
Global Director of Premium Services


>From: "CIRT Advisory" <advisory@xxxxxxx>
>To: <bugtraq@xxxxxxxxxxxxxxxxx>
>Subject: Trend Micro Control Manager - Enterprise Edition 3.0 Web
>application Replay attack
>Date: Thu, 13 Jan 2005 19:45:53 +0100
>X-Mailer: Microsoft Outlook, Build 10.0.6626
>
>The web application are vulnerable to a replay attack, meaning that the

>username and password are encrypted but there are not used any form of
>timestamp to make this mechanism more advanced and secure.
>
>If it is possible to sniff the traffic when a user login to the
>administrative interface, it is possible to replay this sequence and
>get a valid login session, with the rights of the user.
>
>Vendors response to this was, it is a feature not a vulnerability and
>all the others also have this problem.
>
>Read the full advisory at
>http://www.cirt.dk/advisories/cirt-28-advisory.pdf
>
>----------------------------------------------------------------------
>Danish Incident Response Team
>http://www.cirt.dk
>----------------------------------------------------------------------

--
AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, <http://www.av-test.org>





TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and 
may be subject to copyright or other intellectual property protection. If you 
are not the intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or telephone and 
delete the original message from your mail system.