Trend Micro Products
Multiple Local Privilege Escalation Vulnerabilities
Discovered by: R Santamarta <ruben (AT) reversemode (DOT) com>
Affected products:
Client / Server / Messaging Security for SMB 3.5
PC-cillin Internet Security - 2007, Trend Micro AntiVirus 2007
Trend Micro Anti-Spyware for SMB 3.2
Trend Micro Anti-Spyware for Enterprise 3.0
Trend Micro Anti-Spyware for Consumer - 3.5
TmComm.sys is exposed through the following Dos Device:\\.\TmComm. Any
logged user can take advantage of the weak permissions applied on this
device in order to execute arbitrary code with elevated privileges.
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
data:0001BE24 dd 9000402Bh ; ICTL #1
data:0001BE28 dd offset sub_134B8; local dispatcher #1
data:0001BE2C dd 9000402Fh ; ICTL #2
data:0001BE30 dd offset sub_1352C ; local dispatcher #2
data:0001BE34 dd 90004027h ; ICTL #3
data:0001BE38 dd offset sub_135A0 ; local dispatcher #3
data:0001BE3C dd 0FFFFFFFFh ; Table End.
Each ICTL has an internal command table associated.
i.e Local dispatcher routine #1 - ICTL 0x9000402B
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
text:000134D9 cmp dword ptr [ecx], 4Ch ; Input Buffer length
text:000134DC jnz short loc_1351B
text:000134DE cmp dword ptr [ecx+4], 4Ch ; Buffer length
text:000134E2 jnz short loc_1351B
text:000134E2 jnz short loc_1351B
text:000134E4 xor ecx, ecx
text:000134E6 cmp off_1BEDC, ecx
text:000134EC jz short loc_13520
text:000134EE mov edx, [esi] ; int
text:000134F0 loc_134F0: ; CDE XREF: sub_134B8+54#j
text:000134F0 cmp dword_1BED8[ecx*8], edx
text:000134F7 jnz short loc_13503
text:000134F9 cmp off_1BEDC[ecx*8], 0
text:00013501 jnz short loc_13510
text:00013503 loc_13503: ; CDE XREF: sub_134B8+3F#j
text:00013503 inc ecx ; ;InternalCommandIndex
text:00013504 cmp off_1BEDC[ecx*8], 0
text:0001350C jnz short loc_134F0
text:0001350E jmp short loc_13520
text:00013510 ;
text:00013510
text:00013510 loc_13510: ; CDE XREF: sub_134B8+49#j
text:00013510 push edi ; int
text:00013511 push esi ; int
text:00013512 call off_1BEDC[ecx*8] ; ICTL_1[InternalCommandIndex*8]
Let's see the table :
DosDevice: \\.\TmComm
Driver: tmcomm.sys Version: 1.5.0.1052
data:0001BED8 dd 2713h ; Internal Command Code #1.1
data:0001BEDC dd offset sub_13456 ; Routine Associated #1.1
data:0001BEE0 dd 2711h ;
data:0001BEE4 dd offset dword_13320+2
data:0001BEE8 dd 2710h
data:0001BEEC dd offset sub_13288
data:0001BEF0 dd 2712h
data:0001BEF4 dd offset sub_133BE
data:0001BEF8 dd 0FFFFFFFFh ; Table End
These ICTLs are generated as METHD_NEITHER, since the driver is not
sanitizing any pointer embedded within user-mode buffers there are
dozens of ways for executing arbitrary code in Ring0.
Exploits:
No exploits are released. Ethical security companies can contact for
requesting samples : contact (AT) reversemode (DOT) com
References:
[PDF]