Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-08-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trend Micro ServerProtect Update

Published: 2007-08-23
Last Updated: 2007-08-25 14:00:24 UTC
by Kyle Haugsness (Version: 4)
0 comment(s)

Indications are that the ServerProtect exploit is against an older vulnerability from earlier this year, February 2007.  This vulnerability was patched previously.  The vulnerability appears to be "vulnerabilty one" in this advisory:  http://dvlabs.tippingpoint.com/advisory/TPTI-07-02

But this does indeed appear to be a new exploit, thus machines are being actively compromised if they haven't been patched.

 

Update:

The activity at this stage is still ongoing.  If you are using ServerProtect and you can't think of a reason why it needs to be exposed to the internet, then make sure you block  The following:

  • ServerProtect service Port 5168/TCP
  • ServerProtect Agent service Port 3628/TCP

If you have a packet capture upload it via the contact form.

Update 25/8

Trend has provided a signature for this issue.  If you are running regular updates, then the relevant pattern file should already be applied (4.668.09 onwards).  You might want to run a scan on the machine though to be on the safe side.  Also don't forget to apply the patch.

Keywords:
0 comment(s)

Trend Micro management exploit payload perhaps?

Published: 2007-08-23
Last Updated: 2007-08-23 08:00:39 UTC
by William Salusky (Version: 1)
0 comment(s)

No sooner than I post a call for packets but I catch an event that surely looks suspect.  I'm unable to confirm the destination target was in fact running a Trend management service or if the result of the following attempt.  Let's see what our shellcode analysts can determine before we post complete packet payload. 

 

Attacking Client       Trend Management Service???
222.xxx.xxx.83:3418 => xx.xx.xxx.65:5168
                    Suspicious payload perhaps?
00000000  0500 0083 1000 0000 0808 0000 0100 0000  ................
00000010  e007 0000 0000 0000 8888 2825 5bbd d111  ..........(%[...
00000020  9d53 0080 c83a 5c2c 0400 0300 d007 0000  .S...:\,........
00000030  fc6a eb4d e8f9 ffff ff60 8b6c 2424 8b45  .j.M.....`.l$$.E
.
.     (Sorry, intentionally removed to prevent kiddie replay)
.
00000130  6aff ff37 ffd0 68e7 79c6 79ff 7504 ffd6  j..7..h.y.y.u...
00000140  ff77 fcff d068 f08a 045f 53ff d6ff d041  .w...h..._S....A
00000150  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000160  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
.
.
.
00000480  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000490  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000004a0  4141 4141 4141 4141 4141 4141 4141 1c13  AAAAAAAAAAAAAA..
000004b0  7465 4141 4141 4141 4141 4141 4141 4141  teAAAAAAAAAAAAAA 
000004c0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
.
.
.
000007e0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000007f0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000800  d007 0000 d007 0000                      ........

 

W
Incapable of shell code kung-fu, regardless of his desire.

 

Keywords:
0 comment(s)
Diary Archives