Title:
======
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities
Date:
=====
2013-05-21
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894
Article: http://www.vulnerability-lab.com/dev/?p=580
Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805
Video: http://www.vulnerability-lab.com/get_content.php?id=951
VL-ID:
=====
894
Common Vulnerability Scoring System:
====================================
6.1
Introduction:
=============
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to
remember one password. Other features include: Keystroke encryption, secure password generation, automatic
form-filling, confidential notes, and a secure browser.
Convenience - You can securely and easily manage passwords for numerous online accounts with just one
password and automatically login to your websites with one click. More Security - You get an extra layer of
online security with a specially designed browser for online banking and financial websites and protection
from keylogging malware. No Hassles – You don’t have to be technical wizard to benefit from this password
service, it’s simple to use. Confidence – You can have peace-of-mind using a password service provided by
an Internet security provider with 20+ years of experience. All Your Devices – You can use DirectPass
password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are
automatically encrypted and synchronized using the cloud
(Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.
Report-Timeline:
================
2013-03-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-03-09: Vendor Notification (Trend Micro - Security Team)
2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
2013-05-21: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Trend Micro
Product: DirectPass 1.5.0.1060
Exploitation-Technique:
=======================
Local
Severity:
=========
High
Details:
========
1.1
A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject system specific commands or local
path requests to compromise the software.
The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe file.
The master password module of the software allows users to review the included password in the secound step for security
reason. The hidden protected master password will only be visible in the check module when the customer is processing to
mouse-over onto the censored password field. When the software is processing to display the hidden password in plain the
command/path injection will be executed out of the not parsed master password context in in the field listing.
Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or medium
user interaction. Successful exploitation of the vulnerability results in software and system process compromise or
execution of local system specific commands/path.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Module(s):
[+] Setup Master Password
Vulnerable Parameter(s):
[+] Master Password
Affected Module(s):
[+] Check Listing (Master Password)
1.2
A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to implement/inject malicious script code on
application side (persistent) of the software.
The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated master password.
In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution
will be in the next step when processing to list the master password context in the last check module. To bypass the validation the
and execute the injected script code the attacker needs to split (%20) the input request.
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing,
persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Module(s):
[+] Setup Master Password
Vulnerable Parameter(s):
[+] Master Password
Affected Module(s):
[+] Check Listing (Master Password)
1.3
A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability.
The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject scripts with
loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable cash down
of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software core.
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with direct-pass.
Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable software module hangups.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Library:
[+] libcef.dll (Dynamic Link Library)
Vulnerable Module(s):
[+] Check Listing (Master Password)
Vulnerable Parameter(s):
[+] Master Password
1.1 - 1.3
Product/Version:
[+] Trend Micro DirectPass - All
Affected OS:
[+] Windows - 7 32-bit, 7 64-bit
[+] Windows 8 32-bit & 64-bit + RT
[+] Vista 32-bit & Vista 64-bit
[+] XP Home & XP Professional
Proof of Concept:
=================
1.1
The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction.
For demonstration or reproduce ...
PoC:
B%20>">../;'[COMMAND|PATH INJECT!]>
Example Path: C:\Users\BKM\TrendMicro DirectPass
Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the
bound dynamic link libraries.
1.2
The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account and medium
or high user interaction. For demonstration or reproduce ...
PoC: (Input)
B%20>"<iframe src=a>[PERSISTENT SCRIPT CODE!]
Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames works also with external source.
1.3
The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium or high user interaction.
For demonstration or reproduce ...
Path: C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI
Dynamic Link Library: libcef.dll
PoC: (Input)
%20%000000---%000%20
Note: The string crashs the master password check review module and the installworkspace.exe software process via null pointer (Dos) bug.
The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first instance and the save
has been canceled.
Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get access to the stored password.
I was processing to load my debugger and attached it to the process when the request was sucessful and saved the address.
After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask.
Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the debugger.
By processing to inject more and more context i was able to see were the location of the password in the memory has been stored when the software
is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or paper but i am sure i will
soon write about the incident.
Solution:
=========
Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password check module of the software.
Filter and parse the master password and description security tip input fields.
For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of the issue.
Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may.
On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still vulnerable.
To fix the issue in the software an update from the update-server is required after the install.
Risk:
=====
1.1
The security risk of the local command/path injection software vulnerability in the directpass software core is estimated as high(-).
1.2
The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+).
1.3
The security risk of the pointer (DoS) software vulnerability is estimated as medium(-).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com