TrendMicro_MAX_10.0_US-en_
<http://trial.trendmicro.com/
loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs
too) eventually found in the directory it is started from
(the "application directory").
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/
<http://blog.acrossecurity.
and <http://seclists.org/
If one of the DLLs named above gets planted in the user's
"Downloads" directory per "drive-by download" or "social
engineering" this vulnerability becomes a remote code execution.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. visit <http://home.arcor.de/
<http://home.arcor.de/
as UXTheme.dll in your "Downloads" directory, then copy it as
ProfAPI.dll;
2. download TrendMicro_MAX_10.0_US-en_
in your "Downloads" directory;
3. execute TrendMicro_MAX_10.0_US-en_
"Downloads" directory;
4. notice the message boxes displayed from the DLLs placed in step 1.
PWNED!
For a denial of service instead of arbitrary (remote) code execution
copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv.
This is easily turned into arbitrary (remote) code execution too:
just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW
respectively LresultFromObject and CreateStdAccessibleObject to the DLL.
See <http://seclists.org/
<http://seclists.org/
<http://home.arcor.de/
<http://home.arcor.de/
this well-known and well-documented BEGINNER'S error and why
executable installers (and self-extractors too) are bad.
Additionally, TrendMicro_MAX_10.0_US-en_
unsafe temporary directory where it unpacks its payload to and
executes it from.
...\TrendMicro_MAX_10.0_US-en_
and executes multiple DLLs too from its unsafe application directory:
ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
and OLEAcc.dll
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5. unpack TrendMicro_MAX_10.0_US-en_
7-Zip self-extractor) into an arbitrary directory, say "%TEMP%"
(this creates a subdirectory "%TEMP%\Agent" with the payload);
6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%\Agent",
then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll,
Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll
and OLEAcc.dll there;
7. execute "%TEMP%\Agent\TisEZIns.exe";
8. notice the message boxes displayed from the DLLs placed in steps 5
and 6.
PWNED!
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2015-12-20 multiple reports sent to vendor
2015-12-20 one report bounced due to braindead mail setup by vendor
2015-12-20 resent bounced report via alternative provider
2015-12-21 vendor acknowledges receipt and names further contact
2015-12-28 vendor verifies reports, can reproduce it on Windows 7
2015-12-30 vendor asks for verification:
"We did not reproduce the vulnerability relating to
ProfAPI.dll and UXTheme.dll on Windows 7."
2015-12-31 sent verification to vendor
2015-12-31 bounced due to braindead mail setup by vendor
<GCC_CONSRECEIVE@support.
support.trendmicro.com.e0018.
said: 554 5.7.1 <GCC_CONSRECEIVE@support.
rejected: ERS-RBL. (in reply to RCPT TO command)
<tm-csirt@trendmicro.com>: host sjdc-itpf-04.udc.trendmicro.
said: 550 5.7.1 Service unavailable; Client host [151.189.21.43] blocked
using Trend Micro RBL+. Please see
http://www.mail-abuse.com/cgi-
from 151.189.21.43 blocked using Trend Micro Email Reputation database.
Please see <http://www.mail-abuse.com/
from=<<stefan.kanthak@nexgo.de
; ORCPT=rfc822;tm-csirt@
helo=<mail-in-03.arcor-online.
2015-12-31 report published: vendor is obviously not interested in
communication
Komentarų nėra:
Rašyti komentarą