Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormStefan KanthakPACKETSTORM:135099
HistoryDec 31, 2015 - 12:00 a.m.

Trend Micro DLL Hijacking

2015-12-3100:00:00
Stefan Kanthak
packetstormsecurity.com
41
JSON
`Hi @ll,  
  
TrendMicro_MAX_10.0_US-en_Downloader.exe (available from  
<http://trial.trendmicro.com/US/TM/2016/TrendMicro_MAX_10.0_US-en_Downloader.exe>)  
loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs  
too) eventually found in the directory it is started from  
(the "application directory").  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134>  
  
If one of the DLLs named above gets planted in the user's  
"Downloads" directory per "drive-by download" or "social  
engineering" this vulnerability becomes a remote code execution.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it  
as UXTheme.dll in your "Downloads" directory, then copy it as  
ProfAPI.dll;  
  
2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it  
in your "Downloads" directory;  
  
3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your  
"Downloads" directory;  
  
4. notice the message boxes displayed from the DLLs placed in step 1.  
  
PWNED!  
  
  
For a denial of service instead of arbitrary (remote) code execution  
copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv.  
This is easily turned into arbitrary (remote) code execution too:  
just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW  
respectively LresultFromObject and CreateStdAccessibleObject to the DLL.  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as  
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished  
<http://home.arcor.de/skanthak/!execute.html> for more details about  
this well-known and well-documented BEGINNER'S error and why  
executable installers (and self-extractors too) are bad.  
  
  
Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an  
unsafe temporary directory where it unpacks its payload to and   
executes it from.  
  
...\TrendMicro_MAX_10.0_US-en_Downloader\Agent\TisEzIns.exe loads  
and executes multiple DLLs too from its unsafe application directory:  
ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and  
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll  
and OLEAcc.dll  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a  
7-Zip self-extractor) into an arbitrary directory, say "%TEMP%"  
(this creates a subdirectory "%TEMP%\Agent" with the payload);  
  
6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%\Agent",  
then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,  
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll  
and OLEAcc.dll there;  
  
7. execute "%TEMP%\Agent\TisEZIns.exe";  
  
8. notice the message boxes displayed from the DLLs placed in steps 5  
and 6.  
  
PWNED!  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-12-20 multiple reports sent to vendor  
  
2015-12-20 one report bounced due to braindead mail setup by vendor  
  
2015-12-20 resent bounced report via alternative provider  
  
2015-12-21 vendor acknowledges receipt and names further contact  
  
2015-12-28 vendor verifies reports, can reproduce it on Windows 7  
  
2015-12-30 vendor asks for verification:  
"We did not reproduce the vulnerability relating to  
ProfAPI.dll and UXTheme.dll on Windows 7."  
  
2015-12-31 sent verification to vendor  
  
2015-12-31 bounced due to braindead mail setup by vendor  
  
<[email protected]>: host  
support.trendmicro.com.e0018.g0009.ng0090.im.emailsecurity.trendmicro.com[150.70.178.57]  
said: 554 5.7.1 <[email protected]>: Recipient address  
rejected: ERS-RBL. (in reply to RCPT TO command)  
  
<[email protected]>: host sjdc-itpf-04.udc.trendmicro.com[66.180.82.132]  
said: 550 5.7.1 Service unavailable; Client host [151.189.21.43] blocked  
using Trend Micro RBL+. Please see  
http://www.mail-abuse.com/cgi-bin/lookup?ip_address=151.189.21.43; Mail  
from 151.189.21.43 blocked using Trend Micro Email Reputation database.  
Please see <http://www.mail-abuse.com/cgi-bin/lookup?151.189.21.43>;  
from=<<[email protected]> ; SIZE=8184> to=<<[email protected]>  
; ORCPT=rfc822;[email protected]> proto=ESMTP  
helo=<mail-in-03.arcor-online.net> (in reply to end of DATA command)  
  
2015-12-31 report published: vendor is obviously not interested in  
communication  
`
JSON