<<< Date Index >>>     <<< Thread Index >>>

[Reversemode Advisory] TrendMicro Products - multiple privilege escalation vulnerabilities.



Trend Micro Products
Multiple Local Privilege Escalation Vulnerabilities

Discovered by: Rubén Santamarta <ruben@xxxxxxxxxxxxxxx>
        
Affected products:
        Client / Server / Messaging Security for SMB – 3.5
        PC-cillin Internet Security - 2007, Trend Micro AntiVirus – 2007
        Trend Micro Anti-Spyware for SMB – 3.2
        Trend Micro Anti-Spyware for Enterprise – 3.0
        Trend Micro Anti-Spyware for Consumer - 3.5

TmComm.sys is exposed through the following Dos Device:“\\.\TmComm”. Any
logged user  can take advantage of the  weak permissions applied on this
device in order to execute arbitrary  code with elevated privileges.

DosDevice: \\.\TmComm
Driver:  tmcomm.sys     Version: 1.5.0.1052
.data:0001BE24 dd 9000402Bh             ; IOCTL #1
.data:0001BE28 dd offset sub_134B8      ; local dispatcher  #1
.data:0001BE2C dd 9000402Fh             ; IOCTL #2
.data:0001BE30 dd offset sub_1352C      ; local dispatcher #2
.data:0001BE34 dd 90004027h             ; IOCTL #3
.data:0001BE38 dd offset sub_135A0      ; local dispatcher #3
.data:0001BE3C dd 0FFFFFFFFh            ; Table End.

Each IOCTL has an internal command table associated.
i.e Local dispatcher routine #1 - IOCTL 0x9000402B

DosDevice: \\.\TmComm
Driver:  tmcomm.sys     Version: 1.5.0.1052
.text:000134D9 cmp dword ptr [ecx], 4Ch                 ; Input Buffer length
.text:000134DC jnz short loc_1351B
.text:000134DE cmp dword ptr [ecx+4], 4Ch       ; Output Buffer length
.text:000134E2 jnz short loc_1351B
.text:000134E2 jnz short loc_1351B
.text:000134E4 xor ecx, ecx
.text:000134E6 cmp off_1BEDC, ecx
.text:000134EC jz short loc_13520
.text:000134EE mov edx, [esi] ; int
.text:000134F0 loc_134F0: ; CODE XREF: sub_134B8+54#j
.text:000134F0 cmp dword_1BED8[ecx*8], edx
.text:000134F7 jnz short loc_13503
.text:000134F9 cmp off_1BEDC[ecx*8], 0
.text:00013501 jnz short loc_13510
.text:00013503 loc_13503: ; CODE XREF: sub_134B8+3F#j
.text:00013503 inc ecx ;                                ;InternalCommandIndex
.text:00013504 cmp off_1BEDC[ecx*8], 0
.text:0001350C jnz short loc_134F0
.text:0001350E jmp short loc_13520
.text:00013510 ;
---------------------------------------------------------------------------
.text:00013510
.text:00013510 loc_13510: ; CODE XREF: sub_134B8+49#j
.text:00013510 push edi ; int
.text:00013511 push esi ; int
.text:00013512 call off_1BEDC[ecx*8] ;  IOCTL_1[InternalCommandIndex*8]

Let's see the table :

DosDevice: \\.\TmComm
Driver:  tmcomm.sys     Version: 1.5.0.1052
.data:0001BED8 dd 2713h                 ; Internal Command Code #1.1
.data:0001BEDC dd offset sub_13456      ; Routine Associated #1.1
.data:0001BEE0 dd 2711h                         ; ...
.data:0001BEE4 dd offset dword_13320+2
.data:0001BEE8 dd 2710h
.data:0001BEEC dd offset sub_13288
.data:0001BEF0 dd 2712h
.data:0001BEF4 dd offset sub_133BE
.data:0001BEF8 dd 0FFFFFFFFh            ; Table End


These IOCTLs are generated as METHOD_NEITHER, since the driver is not
sanitizing any pointer embedded within user-mode buffers there are
dozens of ways for executing  arbitrary code in Ring0.


Exploits:
No exploits are released. Ethical security companies can contact for
requesting samples : contact@xxxxxxxxxxxxxxx

References:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469
[PDF]http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=45