Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16013
HistoryFeb 11, 2007 - 12:00 a.m.

[Reversemode Advisory] TrendMicro Products - multiple privilege escalation vulnerabilities.

2007-02-1100:00:00
vulners.com
2
JSON

Trend Micro Products
Multiple Local Privilege Escalation Vulnerabilities

Discovered by: Rubйn Santamarta <[email protected]>

Affected products:
Client / Server / Messaging Security for SMB – 3.5
PC-cillin Internet Security - 2007, Trend Micro AntiVirus – 2007
Trend Micro Anti-Spyware for SMB – 3.2
Trend Micro Anti-Spyware for Enterprise – 3.0
Trend Micro Anti-Spyware for Consumer - 3.5

TmComm.sys is exposed through the following Dos Device:“\\.\TmComm”. Any
logged user can take advantage of the weak permissions applied on this
device in order to execute arbitrary code with elevated privileges.

DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.data:0001BE24 dd 9000402Bh ; IOCTL #1
.data:0001BE28 dd offset sub_134B8 ; local dispatcher #1
.data:0001BE2C dd 9000402Fh ; IOCTL #2
.data:0001BE30 dd offset sub_1352C ; local dispatcher #2
.data:0001BE34 dd 90004027h ; IOCTL #3
.data:0001BE38 dd offset sub_135A0 ; local dispatcher #3
.data:0001BE3C dd 0FFFFFFFFh ; Table End.

Each IOCTL has an internal command table associated.
i.e Local dispatcher routine #1 - IOCTL 0x9000402B

DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.text:000134D9 cmp dword ptr [ecx], 4Ch ; Input Buffer length
.text:000134DC jnz short loc_1351B
.text:000134DE cmp dword ptr [ecx+4], 4Ch ; Output Buffer length
.text:000134E2 jnz short loc_1351B
.text:000134E2 jnz short loc_1351B
.text:000134E4 xor ecx, ecx
.text:000134E6 cmp off_1BEDC, ecx
.text:000134EC jz short loc_13520
.text:000134EE mov edx, [esi] ; int
.text:000134F0 loc_134F0: ; CODE XREF: sub_134B8+54#j
.text:000134F0 cmp dword_1BED8[ecx8], edx
.text:000134F7 jnz short loc_13503
.text:000134F9 cmp off_1BEDC[ecx8], 0
.text:00013501 jnz short loc_13510
.text:00013503 loc_13503: ; CODE XREF: sub_134B8+3F#j
.text:00013503 inc ecx ; ;InternalCommandIndex
.text:00013504 cmp off_1BEDC[ecx*8], 0
.text:0001350C jnz short loc_134F0
.text:0001350E jmp short loc_13520
.text:00013510 ;

.text:00013510
.text:00013510 loc_13510: ; CODE XREF: sub_134B8+49#j
.text:00013510 push edi ; int
.text:00013511 push esi ; int
.text:00013512 call off_1BEDC[ecx8] ; IOCTL_1[InternalCommandIndex8]

Let's see the table :

DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
.data:0001BED8 dd 2713h ; Internal Command Code #1.1
.data:0001BEDC dd offset sub_13456 ; Routine Associated #1.1
.data:0001BEE0 dd 2711h ; …
.data:0001BEE4 dd offset dword_13320+2
.data:0001BEE8 dd 2710h
.data:0001BEEC dd offset sub_13288
.data:0001BEF0 dd 2712h
.data:0001BEF4 dd offset sub_133BE
.data:0001BEF8 dd 0FFFFFFFFh ; Table End

These IOCTLs are generated as METHOD_NEITHER, since the driver is not
sanitizing any pointer embedded within user-mode buffers there are
dozens of ways for executing arbitrary code in Ring0.

Exploits:
No exploits are released. Ethical security companies can contact for
requesting samples : [email protected]

References:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&amp;id=EN-1034432
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469
[PDF]http://www.reversemode.com/index.php?option=com_remository&amp;Itemid=2&amp;func=fileinfo&amp;id=45

JSON