Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHyp3rlinx1337DAY-ID-33834
HistoryJan 15, 2020 - 12:00 a.m.

Trend Micro Maximum Security 2019 - Arbitrary Code Execution Vulnerability

2020-01-1500:00:00
hyp3rlinx
0day.today
65

0.001 Low

EPSS

Percentile

49.7%

JSON
# Exploit Title: Trend Micro Maximum Security 2019 - Arbitrary Code Execution
# Exploit Author: hyp3rlinx
# Vendor Homepage: www.trendmicro.com
# Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15)
# Internet Security 2019 (v15), Antivirus + Security 2019 (v15)

[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
[+] ISR: ApparitionSec          


[Vendor]
www.trendmicro.com


[Product]
Trend Micro Security 2019 (Consumer) Multiple Products


Trend Micro Security provides comprehensive protection for your devices.
This includes protection against ransomware, viruses, malware, spyware, and identity theft.


[Vulnerability Type]
Security Bypass Protected Service Tampering


[CVE Reference]
CVE-2019-19697


[Security Issue]
Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM.
This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp"
service "coreServiceShell.exe" which does not allow Administrators to tamper with them.

This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start.
Note administrator privileges are required to exploit this vulnerability.


[CVSS 3.0 Scores: 3.9]


[Affected versions]
Platform Microsoft Windows
Premium Security 2019 (v15)
Maximum Security 2019 (v15)
Internet Security 2019 (v15)
Antivirus + Security 2019 (v15)


[References]
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx


[Exploit/POC]
1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe

2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM.

3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service

Related

prion 1
nvd 1
exploitdb 1
packetstorm 1
exploitpack 1
cvelist 1
cve 1
prion
prion
Remote code execution
2020-01-18 00:15:00
nvd
nvd
CVE-2019-19697
2020-01-18 00:15:12
exploitdb
exploitdb
Trend Micro Maximum Security 2019 - Arbitrary Code Execution
2020-01-17 00:00:00
packetstorm
packetstorm
Trend Micro Security 2019 Security Bypass Protected Service Tampering
2020-01-17 00:00:00
exploitpack
exploitpack
Trend Micro Maximum Security 2019 - Arbitrary Code Execution
2020-01-17 00:00:00
cvelist
cvelist
CVE-2019-19697
2020-01-17 23:45:25
cve
cve
CVE-2019-19697
2020-01-18 00:15:12

0.001 Low

EPSS

Percentile

49.7%

JSON
Related for 1337DAY-ID-33834
prion1nvd1exploitdb1packetstorm1exploitpack1cvelist1cve1