Title: ====== Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
Date: ===== 2013-05-21 References: =========== http://www.vulnerability-lab.com/get_content.php?id=894 Article: http://www.vulnerability-lab.com/dev/?p=580 Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx Trend Micro Solution ID: 1096805 Video: http://www.vulnerability-lab.com/get_content.php?id=951 VL-ID: ===== 894 Common Vulnerability Scoring System: ==================================== 6.1 Introduction: ============= Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser. Convenience - You can securely and easily manage passwords for numerous online accounts with just one password and automatically login to your websites with one click. More Security - You get an extra layer of online security with a specially designed browser for online banking and financial websites and protection from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are automatically encrypted and synchronized using the cloud (Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software. Report-Timeline: ================ 2013-03-08: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2013-03-09: Vendor Notification (Trend Micro - Security Team) 2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.) 2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server) 2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID & Announcement) 2013-05-21: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Trend Micro Product: DirectPass 1.5.0.1060 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== 1.1 A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The vulnerability allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software. The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file. The master password module of the software allows users to review the included password in the secound step for security reason. The hidden protected master password will only be visible in the check module when the customer is processing to mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the command/path injection will be executed out of the not parsed master password context in in the field listing. Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium user interaction. Successful exploitation of the vulnerability results in software and system process compromise or execution of local system specific commands/path. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.2 A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software. The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password. In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution will be in the next step when processing to list the master password context in the last check module. To bypass the validation the and execute the injected script code the attacker needs to split (%20) the input request. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.3 A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability. The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core. Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass. Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Library: [+] libcef.dll (Dynamic Link Library) Vulnerable Module(s): [+] Check Listing (Master Password) Vulnerable Parameter(s): [+] Master Password 1.1 - 1.3 Product/Version: [+] Trend Micro DirectPass - All Affected OS: [+] Windows - 7 32-bit, 7 64-bit [+] Windows 8 32-bit & 64-bit + RT [+] Vista 32-bit & Vista 64-bit [+] XP Home & XP Professional Proof of Concept: ================= 1.1 The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: B%20>">../;'[COMMAND|PATH INJECT!]> Example Path: C:\Users\BKM\TrendMicro DirectPass Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the bound dynamic link libraries. 1.2 The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: (Input) B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!] Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source. 1.3 The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction. For demonstration or reproduce ... Path: C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI Dynamic Link Library: libcef.dll PoC: (Input) %20%000000---%000%20 Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug. The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save has been canceled. Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password. I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address. After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask. Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger. By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will soon write about the incident. Solution: ========= Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software. Filter and parse the master password and description security tip input fields. For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue. Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may. On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable. To fix the issue in the software an update from the update-server is required after the install. Risk: ===== 1.1 The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-). 1.2 The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+). 1.3 The security risk of the pointer (DoS) software vulnerability is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
