ID CVE-2018-6235 Type cve Reporter cve@mitre.org Modified 2018-06-28T16:10:00
Description
An Out-of-Bounds write privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{"zdi": [{"lastseen": "2020-06-22T11:40:36", "bulletinFamily": "info", "cvelist": ["CVE-2018-6235"], "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within processing of IOCTL 0x222814 by the tmnciesc.sys driver. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the application.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-04-06T00:00:00", "id": "ZDI-18-269", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-269/", "title": "Trend Micro Maximum Security tmnciesc Out-Of-Bounds Write Privilege Escalation Vulnerability", "type": "zdi", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:32:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6232", "CVE-2018-6234", "CVE-2018-10513", "CVE-2018-3608", "CVE-2018-10514", "CVE-2018-6233", "CVE-2018-6236", "CVE-2018-15363", "CVE-2018-6235"], "description": "This host is running Trend Micro Internet Security\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310813335", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813335", "type": "openvas", "title": "Trend Micro Internet Security Multiple Vulnerabilities May18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Trend Micro Internet Security Multiple Vulnerabilities May18 (Windows)\n#\n# Authors:\n# Rinu Kuriaksoe <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:trendmicro:internet_security\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813335\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6232\", \"CVE-2018-6233\", \"CVE-2018-6234\", \"CVE-2018-6235\",\n \"CVE-2018-6236\", \"CVE-2018-3608\", \"CVE-2018-10513\", \"CVE-2018-10514\",\n \"CVE-2018-15363\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 13:30:09 +0530 (Tue, 08 May 2018)\");\n ## Patched version is not available from registry or anywhere, so it can result in FP for 12.0 patched versions\n script_tag(name:\"qod\", value:\"30\");\n script_name(\"Trend Micro Internet Security Multiple Vulnerabilities May18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Trend Micro Internet Security\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Multiple buffer overflow errors.\n\n - An out-of-bounds Read error.\n\n - An out-of-bounds write error.\n\n - An unknown error exist with Time-Of-Check/Time-Of-Use.\n\n - User-Mode Hooking (UMH) driver allowing to create a specially crafted packet.\n\n - Processing of request ID 0x2002 for IDAMSPMASTER in the service process\n coreServiceShell.exe\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to escalate privileges, disclose sensitive information and inject malicious\n code into other processes.\");\n\n script_tag(name:\"affected\", value:\"Trend Micro Internet Security 12.0 (ignore if\n patch is applied or has the latest updated version 12.0.1226) and below on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Trend Micro Internet Security 12.0.1226\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120237.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120742.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_trendmicro_internet_security_detect.nasl\");\n script_mandatory_keys(\"TrendMicro/IS/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\ntVer = infos['version'];\ntPath = infos['location'];\n\nif(version_is_less_equal(version:tVer, test_version:\"12.0\"))\n{\n report = report_fixed_ver(installed_version:tVer, fixed_version:\"Latest update 12.0.1226\", install_path:tPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6232", "CVE-2018-6234", "CVE-2018-10513", "CVE-2018-3608", "CVE-2018-10514", "CVE-2018-6233", "CVE-2018-6236", "CVE-2018-15363", "CVE-2018-6235"], "description": "This host is running Trend Micro Maximum Security\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310813333", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813333", "type": "openvas", "title": "Trend Micro Maximum Security Multiple Vulnerabilities May18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Trend Micro Maximum Security Multiple Vulnerabilities May18 (Windows)\n#\n# Authors:\n# Rinu Kuriaksoe <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:trendmicro:maximum_security\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813333\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6232\", \"CVE-2018-6233\", \"CVE-2018-6234\", \"CVE-2018-6235\",\n \"CVE-2018-6236\", \"CVE-2018-3608\", \"CVE-2018-10513\", \"CVE-2018-10514\",\n \"CVE-2018-15363\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 13:30:09 +0530 (Tue, 08 May 2018)\");\n ## Patched version is not available from registry or anywhere, so it can result in FP for 12.0 patched versions\n script_tag(name:\"qod\", value:\"30\");\n script_name(\"Trend Micro Maximum Security Multiple Vulnerabilities May18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Trend Micro Maximum Security\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Multiple buffer overflow errors.\n\n - An out-of-bounds Read error.\n\n - An out-of-bounds write error.\n\n - An unknown error exist with Time-Of-Check/Time-Of-Use.\n\n - User-Mode Hooking (UMH) driver allowing to create a specially crafted packet.\n\n - Processing of request ID 0x2002 for IDAMSPMASTER in the service process\n coreServiceShell.exe\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to escalate privileges, disclose sensitive information and inject malicious\n code into other processes.\");\n\n script_tag(name:\"affected\", value:\"Trend Micro Maximum Security 12.0 (ignore if\n patch is applied or has the latest updated version 12.0.1226) and below on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Trend Micro Maximum Security 12.0.1226\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120237.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120742.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_trendmicro_maximum_security_detect_win.nasl\");\n script_mandatory_keys(\"TrendMicro/MS/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\ntVer = infos['version'];\ntPath = infos['location'];\n\nif(version_is_less_equal(version:tVer, test_version:\"12.0\"))\n{\n report = report_fixed_ver(installed_version:tVer, fixed_version:\"Latest update 12.0.1226\", install_path:tPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6232", "CVE-2018-6234", "CVE-2018-10513", "CVE-2018-3608", "CVE-2018-10514", "CVE-2018-6233", "CVE-2018-6236", "CVE-2018-15363", "CVE-2018-6235"], "description": "This host is running Trend Micro Antivirus Plus\n and is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-05-08T00:00:00", "id": "OPENVAS:1361412562310813334", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813334", "type": "openvas", "title": "Trend Micro Antivirus Plus Multiple Vulnerabilities May18 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Trend Micro Antivirus Plus Multiple Vulnerabilities May18 (Windows)\n#\n# Authors:\n# Rinu Kuriaksoe <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:trendmicro:antivirus\\+:\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813334\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-6232\", \"CVE-2018-6233\", \"CVE-2018-6234\", \"CVE-2018-6235\",\n \"CVE-2018-6236\", \"CVE-2018-3608\", \"CVE-2018-10513\", \"CVE-2018-10514\",\n \"CVE-2018-15363\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-08 13:30:09 +0530 (Tue, 08 May 2018)\");\n ## Patched version is not available from registry or anywhere, so it can result in FP for 12.0 patched versions\n script_tag(name:\"qod\", value:\"30\");\n script_name(\"Trend Micro Antivirus Plus Multiple Vulnerabilities May18 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Trend Micro Antivirus Plus\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Multiple buffer overflow errors.\n\n - An out-of-bounds Read error.\n\n - An out-of-bounds write error.\n\n - An unknown error exist with Time-Of-Check/Time-Of-Use.\n\n - User-Mode Hooking (UMH) driver allowing to create a specially crafted packet.\n\n - Processing of request ID 0x2002 for IDAMSPMASTER in the service process\n coreServiceShell.exe\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to escalate privileges, disclose sensitive information and inject malicious\n code into other processes.\");\n\n script_tag(name:\"affected\", value:\"Trend Micro Antivirus Plus 12.0 (ignore if\n patch is applied or has the latest updated version 12.0.1226) and below on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Trend Micro Antivirus Plus 12.0.1226\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119591.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120237.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com/en-US/home/pages/technical-support/1120742.aspx\");\n script_xref(name:\"URL\", value:\"https://esupport.trendmicro.com\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_trendmicro_antivirus_plus_detect_win.nasl\");\n script_mandatory_keys(\"TrendMicro/AV/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\ntVer = infos['version'];\ntPath = infos['location'];\n\nif(version_is_less_equal(version:tVer, test_version:\"12.0\"))\n{\n report = report_fixed_ver(installed_version:tVer, fixed_version:\"Latest update 12.0.1226\", install_path:tPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
