================================================================================ == STAT Security Advisory http://www.statonline.com/ Software Vendor: Trend Micro (www.antivirus.com) Software Package: ScanMail for Exchange Versions Affected: 3.5 Evaluation (possibly others) Synopsis: Account names and passwords stored unprotected in registry Issue Date: March 30, 2001 Vendor Response: Vendor notified March 1, 2001 Solution received March 5, 2001 Vendor fix notification received March 29, 2001 ================================================================================ == 1. Summary Trend Micro's ScanMail for Exchange (version 3.5) stores the credentials of users in the system registry with no protection. These credentials apply to the NT domain, and include a valid NT domain or system username, the NT domain name, and password. This occurs in at least two places, once when the product is installed and once for use by the Management Console. Since both installation and management require administrative privileges, the administrative account for the system or for the entire domain can be compromised. 2. Problem Description Several registry values are created during installation and during use of the product's Management Console to store the credentials of the last user to log on. These credentials are valid at least on the server, and possibly valid on the entire domain depending on the last user to log in. Additionally, these keys are created with Everyone set to Special Access, which includes the ability to read the values. The usernames and passwords are rolled right a number of characters and then XOR'ed with a constant key (0xB15A0E707EEDEB80F70FB78F1399). For example, if the Administrators password is "test", then one of the following values would be stored: C53F7D04 -or- 3F7D04C5 -or- 7D04C53F -or- 04C53F7D The result is a possible administratative compromise of a system (or quite possibly an entire domain). 3. Solution Trend Micro recommends, as a temporary fix, that the following keys (and all sub-keys) should have their permissions set to Full Control for Administrators and SYSTEM (remove all other permissions): HKLM\Software\TrendMicro\ScanMail for Exchange\RemoteManagement HKLM\Software\TrendMicro\ScanMail for Exchange\UserInfo The vendor is implementing a new encryption method that will be available in version 5.1 of ScanMail for Exchange. 4. Credits This vulnerability was discovered and researched by Jon Maucher and Bill Wall of Harris Corporation.