282 lines
No EOL
12 KiB
Text
282 lines
No EOL
12 KiB
Text
Title:
|
||
======
|
||
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-05-21
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=894
|
||
|
||
Article: http://www.vulnerability-lab.com/dev/?p=580
|
||
|
||
Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
|
||
Trend Micro Solution ID: 1096805
|
||
|
||
Video: http://www.vulnerability-lab.com/get_content.php?id=951
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
894
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.1
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to
|
||
remember one password. Other features include: Keystroke encryption, secure password generation, automatic
|
||
form-filling, confidential notes, and a secure browser.
|
||
|
||
Convenience - You can securely and easily manage passwords for numerous online accounts with just one
|
||
password and automatically login to your websites with one click. More Security - You get an extra layer of
|
||
online security with a specially designed browser for online banking and financial websites and protection
|
||
from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password
|
||
service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by
|
||
an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass
|
||
password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are
|
||
automatically encrypted and synchronized using the cloud
|
||
|
||
(Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-03-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
|
||
2013-03-09: Vendor Notification (Trend Micro - Security Team)
|
||
2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.)
|
||
2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server)
|
||
2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
|
||
2013-05-21: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Trend Micro
|
||
Product: DirectPass 1.5.0.1060
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Local
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
|
||
The vulnerability allows local low privileged system user accounts to inject system specific commands or local
|
||
path requests to compromise the software.
|
||
|
||
The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file.
|
||
The master password module of the software allows users to review the included password in the secound step for security
|
||
reason. The hidden protected master password will only be visible in the check module when the customer is processing to
|
||
mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the
|
||
command/path injection will be executed out of the not parsed master password context in in the field listing.
|
||
|
||
Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium
|
||
user interaction. Successful exploitation of the vulnerability results in software and system process compromise or
|
||
execution of local system specific commands/path.
|
||
|
||
Vulnerable File(s):
|
||
[+] InstallWorkspace.exe
|
||
|
||
Vulnerable Module(s):
|
||
[+] Setup Master Password
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Master Password
|
||
|
||
Affected Module(s):
|
||
[+] Check Listing (Master Password)
|
||
|
||
|
||
1.2
|
||
A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
|
||
The bug allows local attackers with low privileged system user account to implement/inject malicious script code on
|
||
application side (persistent) of the software.
|
||
|
||
The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password.
|
||
In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution
|
||
will be in the next step when processing to list the master password context in the last check module. To bypass the validation the
|
||
and execute the injected script code the attacker needs to split (%20) the input request.
|
||
|
||
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
|
||
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing,
|
||
persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module.
|
||
|
||
Vulnerable File(s):
|
||
[+] InstallWorkspace.exe
|
||
|
||
Vulnerable Module(s):
|
||
[+] Setup Master Password
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Master Password
|
||
|
||
Affected Module(s):
|
||
[+] Check Listing (Master Password)
|
||
|
||
|
||
|
||
1.3
|
||
A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
|
||
The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability.
|
||
|
||
The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with
|
||
loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down
|
||
of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core.
|
||
|
||
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
|
||
Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups.
|
||
|
||
Vulnerable File(s):
|
||
[+] InstallWorkspace.exe
|
||
|
||
Vulnerable Library:
|
||
[+] libcef.dll (Dynamic Link Library)
|
||
|
||
Vulnerable Module(s):
|
||
[+] Check Listing (Master Password)
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Master Password
|
||
|
||
1.1 - 1.3
|
||
Product/Version:
|
||
[+] Trend Micro DirectPass - All
|
||
|
||
Affected OS:
|
||
[+] Windows - 7 32-bit, 7 64-bit
|
||
[+] Windows 8 32-bit & 64-bit + RT
|
||
[+] Vista 32-bit & Vista 64-bit
|
||
[+] XP Home & XP Professional
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
B%20>">../;'[COMMAND|PATH INJECT!]>
|
||
Example Path: C:\Users\BKM\TrendMicro DirectPass
|
||
|
||
Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the
|
||
bound dynamic link libraries.
|
||
|
||
|
||
1.2
|
||
The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium
|
||
or high user interaction. For demonstration or reproduce ...
|
||
|
||
PoC: (Input)
|
||
B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!]
|
||
|
||
Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source.
|
||
|
||
|
||
1.3
|
||
The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
Path: C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI
|
||
Dynamic Link Library: libcef.dll
|
||
|
||
PoC: (Input)
|
||
%20%000000---%000%20
|
||
|
||
Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug.
|
||
The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save
|
||
has been canceled.
|
||
|
||
Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password.
|
||
I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address.
|
||
After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask.
|
||
Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger.
|
||
By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software
|
||
is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will
|
||
soon write about the incident.
|
||
|
||
|
||
Solution:
|
||
=========
|
||
Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software.
|
||
Filter and parse the master password and description security tip input fields.
|
||
For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue.
|
||
|
||
|
||
Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may.
|
||
On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable.
|
||
To fix the issue in the software an update from the update-server is required after the install.
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-).
|
||
|
||
1.2
|
||
The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+).
|
||
|
||
1.3
|
||
The security risk of the pointer (DoS) software vulnerability is estimated as medium(-).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright © 2013 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |