what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TrendMicro Anti-Threat Toolkit Improper Fix

TrendMicro Anti-Threat Toolkit Improper Fix
Posted Jan 30, 2020
Authored by Stefan Kanthak

The fix that was applied to address a code execution vulnerability in Trend Micro Anti-Threat Toolkit (ATTK) was insufficient.

tags | exploit, code execution
advisories | CVE-2019-20358, CVE-2019-9491
SHA-256 | b9b4e23fba87a6da6a86f939c567edd6b4d826078dea81dcf76c39a0ac44882c

TrendMicro Anti-Threat Toolkit Improper Fix

Change Mirror Download
Hi @ll,

on September 29, 2019, John Page reported a remote code execution
with escalation of privilege in TrendMicro's Anti-Threat Toolkit
to its vendor.
TrendMicro assigned CVE-2019-9491 to this vulnerability and told
the reporter, his dog and the world on October 18, 2019, that they
had fixed the vulnerable product.

See <https://success.trendmicro.com/solution/000149878>,
<https://seclists.org/fulldisclosure/2019/Oct/42> and
<http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt>

TrendMicro's claim was but wrong, the vulnerability was NOT FIXED!

The files attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe,
attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe
offered on <https://spnsupport.trendmicro.com/> were STILL vulnerable,
as was their payload!


Vulnerability #1:
~~~~~~~~~~~~~~~~~

On a fully patched Windows 7 SP1, the executable self-extractors
attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe,
attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe
loaded and executed at least the following DLLs from their
"application directory", typically the user's "Downloads" folder
%USERPROFILE%\Downloads\, instead from Windows' "system directory"
%SystemRoot%\System32\
VERSION.dll, IPHLPAPI.dll, WINNSI.dll, WINHTTP.dll, WEBIO.dll,
DHCPCSVC.dll, CRYPTSP.dll, BCRYPT.dll, NCRYPT.dll, DNSAPI.dll,
RASADHLP.dll, PROPSYS.dll, APPHELP.dll

On other versions of Windows this list varied, but some DLLs were
ALWAYS loaded from the "application directory"!

This BEGINNER's error is well-known and well-documented since MORE
than 20 years:
see <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://blogs.msdn.microsoft.com/david_leblanc/2008/02/20/dll-preloading-attacks/>,
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://www.binaryplanting.com/index.htm>,
<https://attack.mitre.org/wiki/Technique/T1073>,
<https://skanthak.homepage.t-online.de/sentinel.html>,
<https://skanthak.homepage.t-online.de/verifier.html>,
<https://skanthak.homepage.t-online.de/!execute.html>,
<https://skanthak.homepage.t-online.de/minesweeper.html>


Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Follow <https://skanthak.homepage.t-online.de/minesweeper.html>,
build a "minefield" of forwarder DLLs, then copy attk_*.exe into
the directory where you built the DLLs and execute it: enjoy the
multiple message boxes displayed from the forwarder DLLs.


Vulnerability #2:
~~~~~~~~~~~~~~~~~

On all versions of Windows, the batch script batCollector.bat,
unpacked from the executable extractors, which controls execution
of the TrendMicro AntiThreat Toolkit itself, executed
findstr.com/findstr.exe/findstr.bat/findstr.cmd
plus
REG.com/REG.exe/REG.bat/REG.cmd
(see the environment variable PATHEXT for the extensions) from
the directory
"TrendMicro AntiThreat Toolkit\HC_ATTK"
where the batch script batCollector.bat lives:

--- batCollector.bat ---

| @echo off
| setlocal disableDelayedExpansion
| set wd=%~dp0
| cd /d %wd%
...
| for /f "tokens=*" %%a in ('findstr BatCollector= ..\..\config.ini') do (
...
| REG EXPORT ...
...

findstr and REG are called in the script without file extension and
without path (although BOTH are well-known), so CMD.exe runs
findstr.com/findstr.exe/findstr.bat/findstr.cmd and
REG.com/REG.exe/REG.bat/REG.cmd from its "current working directory"
"TrendMicro AntiThreat Toolkit\HC_ATTK"

The missing path and extension are BEGINNER'S error #2.

Again see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
and <https://capec.mitre.org/data/definitions/471.html>


Vulnerability #3:
~~~~~~~~~~~~~~~~~

The executable self-extractors fail to restrict (at least write)
access to this directory for UNPRIVILEGED users, i.e. allow write
access only for members of the "Administrators" group: this is
BEGINNER'S error #3.

In standard installations of Windows, where the qUACkery-controlled
user account created during setup is used, this UNPROTECTED directory
is therefore writable by the UNPRIVILEGED user who can place a rogue
findstr.com/findstr.exe/findstr.bat/findstr.cmd and
REG.com/REG.exe/REG.bat/REG.cmd there ... and gains administrative
privileges!

Additionally an UNPRIVILEGED attacker can add arbitrary command
lines to the UNPROTECTED batch script batCollector.bat between its
creation and its execution, or replace it completely.

Again see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
and <https://capec.mitre.org/data/definitions/471.html>,
plus <https://cwe.mitre.org/data/definitions/732.html>,
<https://cwe.mitre.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/379.html>
and <https://capec.mitre.org/data/definitions/29.html>


stay tuned, and FAR AWAY from so-called security products:
their "security" is typically worse than that of the products
they claim to protect!

Stefan Kanthak

PS: the TrendMicro Anti-Threat Toolkit inspected in October 2019
was built from scrap: the developers used VisualStudio 2008
(end-of-life since two years), linked against an outdated and
vulnerable LIBCMT, shipped an outdated and vulnerable cURL 7.48
plus an outdated and vulnerable libeay32.dll 1.0.1.17 (OpenSSL
1.0.1 is end-of-life since more than 3 years; the last version
was 1.0.1.20).
This POOR (really: TOTAL lack of proper) software engineering
alone disqualifies this vendor and its "security" products!

JFTR: "they'll never come back" (really: developers SELDOM learn)
<https://seclists.org/fulldisclosure/2010/Sep/332>
<https://seclists.org/fulldisclosure/2015/Dec/128>


Timeline:
~~~~~~~~~

2019-10-23 sent reports for both vulnerabilities to vendor

2019-10-25 vendor acknowledged receipt

2020-01-07 CVE-2019-20358 assigned by vendor

2020-01-29 updated advisory published by vendor

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close