lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45CC496C.5060808@reversemode.com>
Date: Fri, 09 Feb 2007 11:14:04 +0100
From: Reversemode <advisories@...ersemode.com>
To: Securityfocus <bugtraq@...urityfocus.com>
Subject: [Reversemode Advisory] TrendMicro Products - multiple privilege escalation
 vulnerabilities.


Trend Micro Products
Multiple Local Privilege Escalation Vulnerabilities

Discovered by: Rubén Santamarta <ruben@...ersemode.com>
 	
Affected products:
 	Client / Server / Messaging Security for SMB – 3.5
 	PC-cillin Internet Security - 2007, Trend Micro AntiVirus – 2007
 	Trend Micro Anti-Spyware for SMB – 3.2
 	Trend Micro Anti-Spyware for Enterprise – 3.0
 	Trend Micro Anti-Spyware for Consumer - 3.5

TmComm.sys is exposed through the following Dos Device:“\\.\TmComm”. Any
logged user  can take advantage of the  weak permissions applied on this
device in order to execute arbitrary  code with elevated privileges.

DosDevice: \\.\TmComm
Driver:  tmcomm.sys  	Version: 1.5.0.1052
.data:0001BE24 dd 9000402Bh 		; IOCTL #1
.data:0001BE28 dd offset sub_134B8	; local dispatcher  #1
.data:0001BE2C dd 9000402Fh 		; IOCTL #2
.data:0001BE30 dd offset sub_1352C 	; local dispatcher #2
.data:0001BE34 dd 90004027h 		; IOCTL #3
.data:0001BE38 dd offset sub_135A0 	; local dispatcher #3
.data:0001BE3C dd 0FFFFFFFFh  		; Table End.

Each IOCTL has an internal command table associated.
i.e Local dispatcher routine #1 - IOCTL 0x9000402B

DosDevice: \\.\TmComm
Driver:  tmcomm.sys  	Version: 1.5.0.1052
.text:000134D9 cmp dword ptr [ecx], 4Ch 		; Input Buffer length
.text:000134DC jnz short loc_1351B
.text:000134DE cmp dword ptr [ecx+4], 4Ch 	; Output Buffer length
.text:000134E2 jnz short loc_1351B
.text:000134E2 jnz short loc_1351B
.text:000134E4 xor ecx, ecx
.text:000134E6 cmp off_1BEDC, ecx
.text:000134EC jz short loc_13520
.text:000134EE mov edx, [esi] ; int
.text:000134F0 loc_134F0: ; CODE XREF: sub_134B8+54#j
.text:000134F0 cmp dword_1BED8[ecx*8], edx
.text:000134F7 jnz short loc_13503
.text:000134F9 cmp off_1BEDC[ecx*8], 0
.text:00013501 jnz short loc_13510
.text:00013503 loc_13503: ; CODE XREF: sub_134B8+3F#j
.text:00013503 inc ecx ; 				;InternalCommandIndex
.text:00013504 cmp off_1BEDC[ecx*8], 0
.text:0001350C jnz short loc_134F0
.text:0001350E jmp short loc_13520
.text:00013510 ;
---------------------------------------------------------------------------
.text:00013510
.text:00013510 loc_13510: ; CODE XREF: sub_134B8+49#j
.text:00013510 push edi ; int
.text:00013511 push esi ; int
.text:00013512 call off_1BEDC[ecx*8] ;  IOCTL_1[InternalCommandIndex*8]

Let's see the table :

DosDevice: \\.\TmComm
Driver:  tmcomm.sys  	Version: 1.5.0.1052
.data:0001BED8 dd 2713h 		; Internal Command Code #1.1
.data:0001BEDC dd offset sub_13456 	; Routine Associated #1.1
.data:0001BEE0 dd 2711h 			; ...
.data:0001BEE4 dd offset dword_13320+2
.data:0001BEE8 dd 2710h
.data:0001BEEC dd offset sub_13288
.data:0001BEF0 dd 2712h
.data:0001BEF4 dd offset sub_133BE
.data:0001BEF8 dd 0FFFFFFFFh 		; Table End


These IOCTLs are generated as METHOD_NEITHER, since the driver is not
sanitizing any pointer embedded within user-mode buffers there are
dozens of ways for executing  arbitrary code in Ring0.


Exploits:
No exploits are released. Ethical security companies can contact for
requesting samples : contact@...ersemode.com

References:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469
[PDF]http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=45

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ