Trend Maximum Security 2019 Unquoted Search Path

2019.08.27
Credit: Silton Santos
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-428


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

=====[ Tempest Security Intelligence - ADV-02/2019 ]========================== Trend Maximum Security 2019 Author: Silton Santos Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]===================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information]============================================= * Class: Unquoted Search Path or Element [CWE-428][1] * CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H * CVE-2019-14685 =====[ Overview]============================================================== * System affected : Trend Maximum Security 2019.[2] * Impact : An user could obtain SYSTEM privileges. =====[ Detailed description]================================================== This application provide a unquoted path in the parameter lpApplicationName of the function CreateProcessW during process create PwmConsole.exe --- which is triggered from the feature PC Health Checkup. If an attacker has write permissions to C:\ or C:\Program Files\, it could deliver an arbitrary executable named Program.exe or Trend.exe which would be executed by the coreServiceShell process. coreServiceShell is a privileged process that will run Program.exe with same privilege. More Details: https://medium.com/sidechannel-br/vulnerabilidade-no-trend-micro-maximum-security-2019-permite-a-escalação-de-privilégios-no-windows-471403d53b68 =====[ Timeline of disclosure]=============================================== * 24/04/2019 - Responsible disclosure started with Trend Micro; * 25/04/2019 - Analysis of the issue is started; * 10/05/2019 - Trend Micro requires more information about the PoC; * 22/05/2019 - Vendor developed and sent patch and asked for an analysis of the fix; * 28/05/2019 - Trend Micro thanked for the help and mentioned the process os aknowledgement (which includes the CVE reservation and Security Advisory post in in their webpage); * 31/07/2019 - Vendor issued a new patch and sent it to be analysed; * 13/08/2019 - CVE-2019-14685 was reserved, and a link to security advisory was provided. =====[ Thanks & Acknowledgements]============================================ - Tempest Security Intelligence [3] =====[ References ]=========================================================== [1] https://cwe.mitre.org/data/definitions/428.html [2] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx [3] http://www.tempest.com.br =====[ EOF ]====================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top