Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass Vulnerability

🗓️ 28 Sep 2017 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 48 Views

Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass Vulnerability. Local SYSTEM service bypassed using Windows IFEO

Code
[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt
[+] ISR: ApparitionSec            
  
 
 
Vendor:
==================
www.trendmicro.com
 
 
 
Product:
========
OfficeScan 
v11.0 and XG (12.0)*
 
 
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
 
 
Vulnerability Type:
===================
Image File Execution Bypass
 
 
 
CVE Reference:
==============
N/A
 
 
 
Security Issue:
================
OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes
like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected
machine even by an Administrator.
 
However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process.
IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in
place of the process the user expects.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
 
All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the
"Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value"
named debugger pointing to say "calc.exe", we wait and once system reboots BOOM!
 
 
References:
===========
https://success.trendmicro.com/solution/1118372
 
 
 
Exploit/POC:
=============
 
Reproduction:
 
1) Open registry 
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
 
2) Create a new Key with no name
 
3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe
 
4) Rename the created key to TMBMSRV.exe 
 
5) Reboot system
 
Done!
 
We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace.


#  0day.today [2018-04-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Sep 2017 00:00Current
6.8Medium risk
Vulners AI Score6.8
trend micro officescanimage file executionlocal systemvulnerabilitywindows ifeo
48