Title:
======
Trend Micro DirectPass 1.5.0.1060 - Multiple Software Vulnerabilities


Date:
=====
2013-05-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951
(http://www.youtube.com/watch?v=Mbf0KqvSERs)

VL-ID:
=====
894


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online accounts with just one 
password and automatically login to your websites with one click. More Security - You get an extra layer of 
online security with a specially designed browser for online banking and financial websites and protection 
from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password 
service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by 
an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass 
password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are 
automatically encrypted and synchronized using the cloud

(Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.


Report-Timeline:
================
2013-03-08:  Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-03-09:  Vendor Notification (Trend Micro - Security Team)
2013-03-16:  Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09:  Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15:  Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
2013-05-21:  Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Trend Micro
Product: DirectPass 1.5.0.1060


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
1.1
A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject system specific commands or local 
path requests to compromise the software.

The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file.
The master password module of the software allows users to review the included password in the secound step for security 
reason. The hidden protected master password will only be visible in the check module when the customer is processing to 
mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the 
command/path injection will be executed out of the not parsed master password context in in the field listing.

Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium 
user interaction. Successful exploitation of the vulnerability results in software and system process compromise or 
execution of local system specific commands/path.

Vulnerable File(s):
        [+] InstallWorkspace.exe

Vulnerable Module(s):
        [+] Setup Master Password

Vulnerable Parameter(s):
        [+] Master Password

Affected Module(s):
        [+] Check Listing (Master Password)


1.2
A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to implement/inject malicious script code on 
application side (persistent) of the software.

The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password. 
In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution 
will be in the next step when processing to list the master password context in the last check module. To bypass the validation the 
and execute the injected script code the attacker needs to split (%20) the input request.

Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing, 
persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module.

Vulnerable File(s):
        [+] InstallWorkspace.exe

Vulnerable Module(s):
        [+] Setup Master Password

Vulnerable Parameter(s):
        [+] Master Password

Affected Module(s):
        [+] Check Listing (Master Password) 



1.3
A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability.

The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with 
loops  to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down 
of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core.

Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups.

Vulnerable File(s):
        [+] InstallWorkspace.exe

Vulnerable Library:
        [+] libcef.dll (Dynamic Link Library)

Vulnerable Module(s):
        [+] Check Listing (Master Password) 

Vulnerable Parameter(s):
        [+] Master Password


Proof of Concept:
=================
1.1
The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. 
For demonstration or reproduce ...

PoC:
B%20>">../;'[COMMAND|PATH INJECT!]>
Example Path: C:\Users\BKM\TrendMicro DirectPass

Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the 
bound dynamic link libraries.


1.2
The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium 
or high user interaction. For demonstration or reproduce ...

PoC: (Input)
B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!]

Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source.


1.3
The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction.
For demonstration or reproduce ...

Path:       C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI
Dynamic Link Library:   libcef.dll

PoC: (Input)
%20%000000---%000%20

Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug.
The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save 
has been canceled.

Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password.
I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address.
After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask.
Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger. 
By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software 
is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will 
soon write about the incident.


Solution:
=========
Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software.
Filter and parse the master password and description security tip input fields.
For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue.


Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may.
On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable.
To fix the issue in the software an update from the update-server  is required after the install.


Risk:
=====
1.1
The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-).

1.2
The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+).

1.3
The security risk of the pointer (DoS) software vulnerability is estimated as medium(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com             - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com   - support@vulnerability-lab.com          - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com   - forum.vulnerability-lab.com            - news.vulnerability-lab.com
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab          - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

                 Copyright © 2013 | Vulnerability Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com