header-logo
Suggest Exploit
vendor:
Trend Micro Antivirus
by:
Anonymous
9
CVSS
CRITICAL
Path Traversal, Header Injection, XSS
22
CWE
Product Name: Trend Micro Antivirus
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: core_service_shell.exe
Metasploit:
Other Scripts:
Platforms Tested: Windows
2020

Vulnerabilities in Trend Micro Antivirus CoreServiceShell.exe

The Trend Micro Antivirus CoreServiceShell.exe includes an HTTP daemon with multiple vulnerabilities. The daemon allows path traversal in the /loadhelp/ and /wtp/ endpoints, has header injection bugs, and has an XSS vulnerability in the loader.html file. These vulnerabilities can be combined to remotely access files as SYSTEM on a Trend Micro machine.

Mitigation:

The vendor should implement proper input validation to prevent path traversal and header injection vulnerabilities. The XSS vulnerability should be fixed by validating and sanitizing user input. Additionally, access controls should be implemented to restrict unauthorized access to sensitive files.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775

The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITY\SYSTEM. 

The CoreServiceShell includes an HTTP daemon, which is used for redirecting network content inspection among other things. For example, if you attempt to visit a blacklisted page, the request is redirected to http://localhost:37848/ and a warning page is displayed.

There are multiple problems with this daemon, first of all, there's a trivial path traversal in the /loadhelp/ and /wtp/ endpoints. The daemon checks paths for "../..", but this doesn't work because you can just do "..\..", which is an entirely valid path separator on Windows.

There's also some trivial header injection bugs, e.g:

http://localhost:37848/continue/TiCredToken=29579&Source=&URL=%0aContent-Type:%20text/html%0aContent-Length:%2032%0a%0a<h1>hello</h1>

By combining these two issues, you can remotely access files as SYSTEM on a Trend Micro machine.

I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like

<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">

The code is like this:

	var st = getStyle("a", "width");
	
	if (st == "10px") {
		var queryString = window.location.search;
		if (queryString.length > 0 && queryString.charAt(0) == "?") {
			var url = queryString.substr(1);
		}
		window.location.href = url;
        }

I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())

Navigation

Suggest Exploit

Services By CQR