TrendMicro Anti-Threat Toolkit Improper Fix

2020.02.01
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

Hi @ll, on September 29, 2019, John Page reported a remote code execution with escalation of privilege in TrendMicro's Anti-Threat Toolkit to its vendor. TrendMicro assigned CVE-2019-9491 to this vulnerability and told the reporter, his dog and the world on October 18, 2019, that they had fixed the vulnerable product. See <https://success.trendmicro.com/solution/000149878>, <https://seclists.org/fulldisclosure/2019/Oct/42> and <http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt> TrendMicro's claim was but wrong, the vulnerability was NOT FIXED! The files attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe, attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe offered on <https://spnsupport.trendmicro.com/> were STILL vulnerable, as was their payload! Vulnerability #1: ~~~~~~~~~~~~~~~~~ On a fully patched Windows 7 SP1, the executable self-extractors attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe, attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe loaded and executed at least the following DLLs from their "application directory", typically the user's "Downloads" folder %USERPROFILE%\Downloads\, instead from Windows' "system directory" %SystemRoot%\System32\ VERSION.dll, IPHLPAPI.dll, WINNSI.dll, WINHTTP.dll, WEBIO.dll, DHCPCSVC.dll, CRYPTSP.dll, BCRYPT.dll, NCRYPT.dll, DNSAPI.dll, RASADHLP.dll, PROPSYS.dll, APPHELP.dll On other versions of Windows this list varied, but some DLLs were ALWAYS loaded from the "application directory"! This BEGINNER's error is well-known and well-documented since MORE than 20 years: see <https://capec.mitre.org/data/definitions/471.html>, <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html>, <https://blogs.msdn.microsoft.com/david_leblanc/2008/02/20/dll-preloading-attacks/>, <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://www.binaryplanting.com/index.htm>, <https://attack.mitre.org/wiki/Technique/T1073>, <https://skanthak.homepage.t-online.de/sentinel.html>, <https://skanthak.homepage.t-online.de/verifier.html>, <https://skanthak.homepage.t-online.de/!execute.html>, <https://skanthak.homepage.t-online.de/minesweeper.html> Demonstration/Proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Follow <https://skanthak.homepage.t-online.de/minesweeper.html>, build a "minefield" of forwarder DLLs, then copy attk_*.exe into the directory where you built the DLLs and execute it: enjoy the multiple message boxes displayed from the forwarder DLLs. Vulnerability #2: ~~~~~~~~~~~~~~~~~ On all versions of Windows, the batch script batCollector.bat, unpacked from the executable extractors, which controls execution of the TrendMicro AntiThreat Toolkit itself, executed findstr.com/findstr.exe/findstr.bat/findstr.cmd plus REG.com/REG.exe/REG.bat/REG.cmd (see the environment variable PATHEXT for the extensions) from the directory "TrendMicro AntiThreat Toolkit\HC_ATTK" where the batch script batCollector.bat lives: --- batCollector.bat --- | @echo off | setlocal disableDelayedExpansion | set wd=%~dp0 | cd /d %wd% ... | for /f "tokens=*" %%a in ('findstr BatCollector= ..\..\config.ini') do ( ... | REG EXPORT ... ... findstr and REG are called in the script without file extension and without path (although BOTH are well-known), so CMD.exe runs findstr.com/findstr.exe/findstr.bat/findstr.cmd and REG.com/REG.exe/REG.bat/REG.cmd from its "current working directory" "TrendMicro AntiThreat Toolkit\HC_ATTK" The missing path and extension are BEGINNER'S error #2. Again see <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> and <https://capec.mitre.org/data/definitions/471.html> Vulnerability #3: ~~~~~~~~~~~~~~~~~ The executable self-extractors fail to restrict (at least write) access to this directory for UNPRIVILEGED users, i.e. allow write access only for members of the "Administrators" group: this is BEGINNER'S error #3. In standard installations of Windows, where the qUACkery-controlled user account created during setup is used, this UNPROTECTED directory is therefore writable by the UNPRIVILEGED user who can place a rogue findstr.com/findstr.exe/findstr.bat/findstr.cmd and REG.com/REG.exe/REG.bat/REG.cmd there ... and gains administrative privileges! Additionally an UNPRIVILEGED attacker can add arbitrary command lines to the UNPROTECTED batch script batCollector.bat between its creation and its execution, or replace it completely. Again see <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> and <https://capec.mitre.org/data/definitions/471.html>, plus <https://cwe.mitre.org/data/definitions/732.html>, <https://cwe.mitre.org/data/definitions/377.html>, <https://cwe.mitre.org/data/definitions/379.html> and <https://capec.mitre.org/data/definitions/29.html> stay tuned, and FAR AWAY from so-called security products: their "security" is typically worse than that of the products they claim to protect! Stefan Kanthak PS: the TrendMicro Anti-Threat Toolkit inspected in October 2019 was built from scrap: the developers used VisualStudio 2008 (end-of-life since two years), linked against an outdated and vulnerable LIBCMT, shipped an outdated and vulnerable cURL 7.48 plus an outdated and vulnerable libeay32.dll 1.0.1.17 (OpenSSL 1.0.1 is end-of-life since more than 3 years; the last version was 1.0.1.20). This POOR (really: TOTAL lack of proper) software engineering alone disqualifies this vendor and its "security" products! JFTR: "they'll never come back" (really: developers SELDOM learn) <https://seclists.org/fulldisclosure/2010/Sep/332> <https://seclists.org/fulldisclosure/2015/Dec/128> Timeline: ~~~~~~~~~ 2019-10-23 sent reports for both vulnerabilities to vendor 2019-10-25 vendor acknowledged receipt 2020-01-07 CVE-2019-20358 assigned by vendor 2020-01-29 updated advisory published by vendor


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top