Trend Micro DLL Hijacking

Type packetstorm
Reporter Stefan Kanthak
Modified 2015-12-31T00:00:00


                                            `Hi @ll,  
TrendMicro_MAX_10.0_US-en_Downloader.exe (available from  
loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs  
too) eventually found in the directory it is started from  
(the "application directory").  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
and <>  
If one of the DLLs named above gets planted in the user's  
"Downloads" directory per "drive-by download" or "social  
engineering" this vulnerability becomes a remote code execution.  
Proof of concept/demonstration:  
1. visit <>, download  
<>, save it  
as UXTheme.dll in your "Downloads" directory, then copy it as  
2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it  
in your "Downloads" directory;  
3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your  
"Downloads" directory;  
4. notice the message boxes displayed from the DLLs placed in step 1.  
For a denial of service instead of arbitrary (remote) code execution  
copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv.  
This is easily turned into arbitrary (remote) code execution too:  
just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW  
respectively LresultFromObject and CreateStdAccessibleObject to the DLL.  
See <> and  
<> as well as  
<> and the still unfinished  
<!execute.html> for more details about  
this well-known and well-documented BEGINNER'S error and why  
executable installers (and self-extractors too) are bad.  
Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an  
unsafe temporary directory where it unpacks its payload to and   
executes it from.  
...\TrendMicro_MAX_10.0_US-en_Downloader\Agent\TisEzIns.exe loads  
and executes multiple DLLs too from its unsafe application directory:  
ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and  
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll  
and OLEAcc.dll  
Proof of concept/demonstration:  
5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a  
7-Zip self-extractor) into an arbitrary directory, say "%TEMP%"  
(this creates a subdirectory "%TEMP%\Agent" with the payload);  
6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%\Agent",  
then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,  
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll  
and OLEAcc.dll there;  
7. execute "%TEMP%\Agent\TisEZIns.exe";  
8. notice the message boxes displayed from the DLLs placed in steps 5  
and 6.  
stay tuned  
Stefan Kanthak  
2015-12-20 multiple reports sent to vendor  
2015-12-20 one report bounced due to braindead mail setup by vendor  
2015-12-20 resent bounced report via alternative provider  
2015-12-21 vendor acknowledges receipt and names further contact  
2015-12-28 vendor verifies reports, can reproduce it on Windows 7  
2015-12-30 vendor asks for verification:  
"We did not reproduce the vulnerability relating to  
ProfAPI.dll and UXTheme.dll on Windows 7."  
2015-12-31 sent verification to vendor  
2015-12-31 bounced due to braindead mail setup by vendor  
<>: host[]  
said: 554 5.7.1 <>: Recipient address  
rejected: ERS-RBL. (in reply to RCPT TO command)  
<>: host[]  
said: 550 5.7.1 Service unavailable; Client host [] blocked  
using Trend Micro RBL+. Please see; Mail  
from blocked using Trend Micro Email Reputation database.  
Please see <>;  
from=<<> ; SIZE=8184> to=<<>  
; ORCPT=rfc822;> proto=ESMTP  
helo=<> (in reply to end of DATA command)  
2015-12-31 report published: vendor is obviously not interested in