exploit the possibilities

Trend Maximum Security 2019 Unquoted Search Path

Trend Maximum Security 2019 Unquoted Search Path
Posted Aug 24, 2019
Authored by Silton Santos

Trend Maximum Security 2019 suffers from an unquoted search path vulnerability. This application provides an unquoted path in the parameter lpApplicationName of the function CreateProcessW during process create PwmConsole.exe --- which is triggered from the feature PC Health Checkup. If an attacker has write permissions to C:\ or C:\Program Files\, it could deliver an arbitrary executable named Program.exe or Trend.exe which would be executed by the coreServiceShell process. coreServiceShell is a privileged process that will run Program.exe with same privilege.

tags | advisory, arbitrary
advisories | CVE-2019-14685
MD5 | bbe0cfc27ac89fd49ed6a2d8487c2970

Trend Maximum Security 2019 Unquoted Search Path

Change Mirror Download
=====[ Tempest Security Intelligence - ADV-02/2019 ]==========================

Trend Maximum Security 2019
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]=====================================================

* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References

=====[ Vulnerability Information]=============================================

* Class: Unquoted Search Path or Element [CWE-428][1]
* CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
* CVE-2019-14685

=====[ Overview]==============================================================

* System affected : Trend Maximum Security 2019.[2]
* Impact : An user could obtain SYSTEM privileges.

=====[ Detailed description]==================================================

This application provide a unquoted path in the parameter lpApplicationName
of the function CreateProcessW during process create PwmConsole.exe ---
which is triggered from the feature PC Health Checkup.

If an attacker has write permissions to C:\ or C:\Program Files\, it could
deliver an arbitrary executable named Program.exe or Trend.exe which would
be executed by the coreServiceShell process.

coreServiceShell is a privileged process that will run Program.exe with same privilege.

More Details: https://medium.com/sidechannel-br/vulnerabilidade-no-trend-micro-maximum-security-2019-permite-a-escalação-de-privilégios-no-windows-471403d53b68


=====[ Timeline of disclosure]===============================================

* 24/04/2019 - Responsible disclosure started with Trend Micro;
* 25/04/2019 - Analysis of the issue is started;
* 10/05/2019 - Trend Micro requires more information about the PoC;
* 22/05/2019 - Vendor developed and sent patch and asked for an analysis of the fix;
* 28/05/2019 - Trend Micro thanked for the help and mentioned the process os aknowledgement
(which includes the CVE reservation and Security Advisory post in in their webpage);
* 31/07/2019 - Vendor issued a new patch and sent it to be analysed;
* 13/08/2019 - CVE-2019-14685 was reserved, and a link to security advisory was provided.


=====[ Thanks & Acknowledgements]============================================

- Tempest Security Intelligence [3]

=====[ References ]===========================================================

[1] https://cwe.mitre.org/data/definitions/428.html

[2] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx

[3] http://www.tempest.com.br

=====[ EOF ]====================================================================
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    9 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close