Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775
The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITYSYSTEM.
The CoreServiceShell includes an HTTP daemon, which is used for redirecting network content inspection among other things. For example, if you attempt to visit a blacklisted page, the request is redirected to http://localhost:37848/ and a warning page is displayed.
There are multiple problems with this daemon, first of all, there's a trivial path traversal in the /loadhelp/ and /wtp/ endpoints. The daemon checks paths for "../..", but this doesn't work because you can just do "....", which is an entirely valid path separator on Windows.
There's also some trivial header injection bugs, e.g:
http://localhost:37848/continue/TiCredToken=29579&Source=&URL=%0aContent-Type:%20text/html%0aContent-Length:%2032%0a%0a<h1>hello</h1>
By combining these two issues, you can remotely access files as SYSTEM on a Trend Micro machine.
I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like
<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">
The code is like this:
var st = getStyle("a", "width");
if (st == "10px") {
var queryString = window.location.search;
if (queryString.length > 0 && queryString.charAt(0) == "?") {
var url = queryString.substr(1);
}
window.location.href = url;
}
I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())