Trend Micro Password Manager program arbitrary command execution vulnerability verification-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201671066
Type myhack58
Reporter 阿尔法实验室 kernux
Modified 2016-01-16T00:00:00


Trend Micro antivirus software to suit the windows version, contains a password management program, the program is also in the official website provides a single download connection, is a free service. The default installation of the latest TRAND Micro: the

! 1

Figure 1

Can in Data Security find this password management program, the default is open, you can see in the local port listening:

! 2

Figure 2

Listening port is 4 9 1 5 3, google analysis given in 4 9 1 5 5, it seems this port should be in a range. This service is a node. js developed the http server program, in this url exist at the arbitrary command execution vulnerability:


This api could have been used to in the browser to open a page:

! 3

Figure 3

However, it can also open the system path:

! 5

Figure 4

Which in turn can open the path in the file:

! 6

Figure 5

Finally, even the executable files are also a cinch, the function is really powerful Ah. to:


! 7

Figure 6

This vulnerability is that, as long as the attacker in the page is inserted into a similar such request:




x = new XMLHttpRequest()




x. open("GET", "https://localhost:49153/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);




try { x. send(); } catch (e) {};


You can install TrendMicro windows on the system, execute arbitrary commands, and the harm can be imagined.