[Reversemode Advisory] TrendMicro Products - multiple privilege escalation vulnerabilities.
Trend Micro Products
Multiple Local Privilege Escalation Vulnerabilities
Discovered by: Rubén Santamarta <ruben@xxxxxxxxxxxxxxx>
Affected products:
Client / Server / Messaging Security for SMB – 3.5
PC-cillin Internet Security - 2007, Trend Micro AntiVirus – 2007
Trend Micro Anti-Spyware for SMB – 3.2
Trend Micro Anti-Spyware for Enterprise – 3.0
Trend Micro Anti-Spyware for Consumer - 3.5
TmComm.sys is exposed through the following Dos Device:“\\.\TmComm”. Any
logged user can take advantage of the weak permissions applied on this
device in order to execute arbitrary code with elevated privileges.
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.data:0001BE24 dd 9000402Bh ; IOCTL #1
.data:0001BE28 dd offset sub_134B8 ; local dispatcher #1
.data:0001BE2C dd 9000402Fh ; IOCTL #2
.data:0001BE30 dd offset sub_1352C ; local dispatcher #2
.data:0001BE34 dd 90004027h ; IOCTL #3
.data:0001BE38 dd offset sub_135A0 ; local dispatcher #3
.data:0001BE3C dd 0FFFFFFFFh ; Table End.
Each IOCTL has an internal command table associated.
i.e Local dispatcher routine #1 - IOCTL 0x9000402B
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.text:000134D9 cmp dword ptr [ecx], 4Ch ; Input Buffer length
.text:000134DC jnz short loc_1351B
.text:000134DE cmp dword ptr [ecx+4], 4Ch ; Output Buffer length
.text:000134E2 jnz short loc_1351B
.text:000134E2 jnz short loc_1351B
.text:000134E4 xor ecx, ecx
.text:000134E6 cmp off_1BEDC, ecx
.text:000134EC jz short loc_13520
.text:000134EE mov edx, [esi] ; int
.text:000134F0 loc_134F0: ; CODE XREF: sub_134B8+54#j
.text:000134F0 cmp dword_1BED8[ecx*8], edx
.text:000134F7 jnz short loc_13503
.text:000134F9 cmp off_1BEDC[ecx*8], 0
.text:00013501 jnz short loc_13510
.text:00013503 loc_13503: ; CODE XREF: sub_134B8+3F#j
.text:00013503 inc ecx ; ;InternalCommandIndex
.text:00013504 cmp off_1BEDC[ecx*8], 0
.text:0001350C jnz short loc_134F0
.text:0001350E jmp short loc_13520
.text:00013510 ;
---------------------------------------------------------------------------
.text:00013510
.text:00013510 loc_13510: ; CODE XREF: sub_134B8+49#j
.text:00013510 push edi ; int
.text:00013511 push esi ; int
.text:00013512 call off_1BEDC[ecx*8] ; IOCTL_1[InternalCommandIndex*8]
Let's see the table :
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.data:0001BED8 dd 2713h ; Internal Command Code #1.1
.data:0001BEDC dd offset sub_13456 ; Routine Associated #1.1
.data:0001BEE0 dd 2711h ; ...
.data:0001BEE4 dd offset dword_13320+2
.data:0001BEE8 dd 2710h
.data:0001BEEC dd offset sub_13288
.data:0001BEF0 dd 2712h
.data:0001BEF4 dd offset sub_133BE
.data:0001BEF8 dd 0FFFFFFFFh ; Table End
These IOCTLs are generated as METHOD_NEITHER, since the driver is not
sanitizing any pointer embedded within user-mode buffers there are
dozens of ways for executing arbitrary code in Ring0.
Exploits:
No exploits are released. Ethical security companies can contact for
requesting samples : contact@xxxxxxxxxxxxxxx
References:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469
[PDF]http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=45