[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 21 May 2013 00:29:19 +0100
Title:
======
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software 
Vulnerabilities


Date:
=====
2013-05-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): 
http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951


VL-ID:
=====
894


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure 
location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure 
password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online 
accounts with just one 
password and automatically login to your websites with one click. More Security 
- You get an extra layer of 
online security with a specially designed browser for online banking and 
financial websites and protection 
from keylogging malware. No Hassles – You don’t have to be technical wizard to 
benefit from this password 
service, it’s simple to use. Confidence – You can have peace-of-mind using a 
password service provided by 
an Internet security provider with 20+ years of experience. All Your Devices – 
You can use DirectPass 
password manager on Windows PCs, Android mobile, Android Tablet, iPads and 
iPhones, and all devices are 
automatically encrypted and synchronized using the cloud

(Copy of the Vendor Homepage: 
http://www.trendmicro.com/us/home/products/directpass/index.html )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple software 
vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.


Report-Timeline:
================
2013-03-08:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-03-09:     Vendor Notification (Trend Micro - Security Team)
2013-03-16:     Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09:     Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15:     Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
2013-05-21:     Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Trend Micro
Product: DirectPass 1.5.0.1060


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
1.1
A local command injection vulnerability is detected in the official Trend Micro 
DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject 
system specific commands or local 
path requests to compromise the software.

The vulnerability is located in the direct-pass master password setup module of 
the Trend Micro InstallWorkspace.exe file.
The master password module of the software allows users to review the included 
password in the secound step for security 
reason. The hidden protected master password will only be visible in the check 
module when the customer is processing to 
mouse-over onto the censored password field. When the software is processing to 
display the hidden password in plain the 
command/path injection will be executed out of the not parsed master password 
context in in the field listing.

Exploitation of the vulnerability requires a low privilege system user account 
with direct-pass access and low or medium 
user interaction. Successful exploitation of the vulnerability results in 
software and system process compromise or 
execution of local system specific commands/path.

Vulnerable File(s):
                                [+] InstallWorkspace.exe

Vulnerable Module(s):
                                [+] Setup Master Password

Vulnerable Parameter(s):
                                [+] Master Password

Affected Module(s):
                                [+] Check Listing (Master Password)


1.2
A persistent input validation vulnerability is detected in the official Trend 
Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to 
implement/inject malicious script code on 
application side (persistent) of the software.

The persistent web vulnerability is located in the direct-pass check module 
when processing to list a manipulated master password. 
In step one injects a malicious iframe in the hidden fields as master password. 
The inserted context will be saved and the execution 
will be in the next step when processing to list the master password context in 
the last check module. To bypass the validation the 
and execute the injected script code the attacker needs to split (%20) the 
input request.

Exploitation of the vulnerability requires medium user interaction and a low 
privilege system user account with direct-pass.
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), persistent phishing, 
persistent external redirects to malware or scam and persistent web context 
manipulation of the affected vulnerable module.

Vulnerable File(s):
                                [+] InstallWorkspace.exe

Vulnerable Module(s):
                                [+] Setup Master Password

Vulnerable Parameter(s):
                                [+] Master Password

Affected Module(s):
                                [+] Check Listing (Master Password) 



1.3
A critical pointer vulnerability (DoS) is detected in the official Trend Micro 
DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to crash 
the software via pointer vulnerability.

The pointer vulnerability is also located in the direct-pass master password 
listing section. Attackers can inject scripts with 
loops  to mouse-over multiple times the hidden password check listing of the 
master password. The result is a stable cash down 
of the InstallWorkspace.exe. The problem occurs in the libcef.dll 
(1.1.0.1044)of the trend micro direct-pass software core.

Exploitation of the vulnerability requires medium user interaction and a low 
privilege system user account with direct-pass.
Successful exploitation of the denial of service vulnerability can lead to a 
software core crash and also stable software module hangups.

Vulnerable File(s):
                                [+] InstallWorkspace.exe

Vulnerable Library:
                                [+] libcef.dll (Dynamic Link Library)

Vulnerable Module(s):
                                [+] Check Listing (Master Password) 

Vulnerable Parameter(s):
                                [+] Master Password


Proof of Concept:
=================
1.1
The code injection vulnerability can be exploited by local attackers with 
privileged system user account and medium or high user interaction. 
For demonstration or reproduce ...

PoC:
B%20>">../;'[COMMAND|PATH INJECT!]>
Example Path: C:\Users\BKM\TrendMicro DirectPass

Note: The bug allows attackers to request local restricted folders with the 
system software privileges to manipulate software files and the 
bound dynamic link libraries.


1.2
The persistent script code inject vulnerability can be exploited by local 
attackers with privileged system user account and medium 
or high user interaction. For demonstration or reproduce ...

PoC: (Input)
B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!]

Note: The master password is restricted to 20 chars per field on insert. The 
execution of persistent injected frames works also with external source.


1.3
The pointer (DoS) vulnerability can be exploited by local attackers with 
privileged system user account and low, medium or high user interaction.
For demonstration or reproduce ...

Path:                   C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI
Dynamic Link Library:   libcef.dll

PoC: (Input)
%20%000000---%000%20

Note: The string crashs the master password check review module and the 
installworkspace.exe software process via null pointer (Dos) bug.
The reproduce of the vulnerability can result in a permanent denial of service 
when the context is saved in the first instance and the save 
has been canceled.

Critical Note: When i was checking the section i was thinking about how to use 
the injected code in the section to get access to the stored password.
I was processing to load my debugger and attached it to the process when the 
request was sucessful and saved the address.
After it i reproduced the same request with attached debugger and exploited the 
issue in the local cloud software mask.
Then i was reviewing the changes and was able to use the injected frame test to 
see the location of the memory in the debugger. 
By processing to inject more and more context i was able to see were the 
location of the password in the memory has been stored when the software 
is processing to redisplay the saved temp password. Since today i have never 
seen this kind of method in any book or paper but i am sure i will 
soon write about the incident.


Solution:
=========
Both vulnerabilities can be patched by a secure parse or encode of the master 
password listing in the master password check module of the software.
Filter and parse the master password and description security tip input fields.
For the denial of service issue is no solution available yet but the fixes will 
prevent the manually exploitation of the issue.


Note: The update is available from the update-server since the 12th may but 
trend micro says it was the 9th may.
On the 18th we downloaded again the main software direct-pass and tested the 
core without an update and it was still vulnerable.
To fix the issue in the software an update from the update-server  is required 
after the install.


Risk:
=====
1.1
The security risk of the local command/path injection software vulnerability in 
the directpass software core is estimated as high(-).

1.2
The security risk of the persistent scirpt code inject vulnerability is 
estimated as medium(+).

1.3
The security risk of the pointer (DoS) software vulnerability is estimated as 
medium(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2013 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: Re: [Full-disclosure] exploitation ideas under memory pressure
Next by Date: [Full-disclosure] Sony PS3 Firmware v4.31 - Code Execution Vulnerability
Previous by thread: [Full-disclosure] Critical issues affecting multiple game engines
Next by thread: [Full-disclosure] Sony PS3 Firmware v4.31 - Code Execution Vulnerability
Index(es):
- Date
- Thread