Vulnerability-Lab( Trend Micro DirectPass-SA-05/21/2013 - May 21 2013 12:00AM )
Title:
------
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities
Date:
-----
2013-05-21
References:
-----------
http://www.vulnerability-lab.com/get_content.php?id-894
Article: http://www.vulnerability-lab.com/dev/?p-580
Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805
Video: http://www.vulnerability-lab.com/get_content.php?id-951
VL-ID:
-----
894
Common Vulnerability Scoring System:
------------------------------------
6.1
Introduction:
-------------
Trend Micro DirectPass manages website passwords and login IDs in one secure location, so you only need to
remember one password. Other features include: Keystroke encryption, secure password generation, automatic
form-filling, confidential notes, and a secure browser.
Convenience - You can securely and easily manage passwords for numerous online accounts with just one
password and automatically login to your websites with one click. More Security - You get an extra layer of
online security with a specially designed browser for online banking and financial websites and protection
from keylogging malware. No Hassles You dont have to be technical wizard to benefit from this password
service, its simple to use. Confidence You can have peace-of-mind using a password service provided by
an Internet security provider with 20+ years of experience. All Your Devices You can use DirectPass
password manager on Windows PCs, Android mobile, Android Tablet, iPads and iPhones, and all devices are
automatically encrypted and synchronized using the cloud
(Copy of the Vendor Homepage: http://www.trendmicro.com/us/home/products/directpass/index.html )
Abstract:
---------
The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro
DirectPass v1.5.0.1060 Software.
Report-Timeline:
----------------
2013-03-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-03-09: Vendor Notification (Trend Micro - Security Team)
2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
2013-05-21: Public Disclosure (Vulnerability Laboratory)
Status:
--------
Published
Affected Products:
------------------
Trend Micro
Product: DirectPass 1.5.0.1060
Exploitation-Technique:
-----------------------
Local
Severity:
---------
High
Details:
--------
1.1
A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject system specific commands or local
path requests to compromise the software.
The vulnerability is located in the direct-pass master password setup module of the Trend Micro InstallWorkspace.exe
file.
The master password module of the software allows users to review the included password in the secound step for
security
reason. The hidden protected master password will only be visible in the check module when the customer is processing
to
mouse-over onto the censored password field. When the software is processing to display the hidden password in plain
the
command/path injection will be executed out of the not parsed master password context in in the field listing.
Exploitation of the vulnerability requires a low privilege system user account with direct-pass access and low or
medium
user interaction. Successful exploitation of the vulnerability results in software and system process compromise or
execution of local system specific commands/path.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Module(s):
[+] Setup Master Password
Vulnerable Parameter(s):
[+] Master Password
Affected Module(s):
[+] Check Listing (Master Password)
1.2
A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to implement/inject malicious script code on
application side (persistent) of the software.
The persistent web vulnerability is located in the direct-pass check module when processing to list a manipulated
master password.
In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and
the execution
will be in the next step when processing to list the master password context in the last check module. To bypass the
validation the
and execute the injected script code the attacker needs to split (%20) the input request.
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with
direct-pass.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing,
persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable
module.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Module(s):
[+] Setup Master Password
Vulnerable Parameter(s):
[+] Master Password
Affected Module(s):
[+] Check Listing (Master Password)
1.3
A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability.
The pointer vulnerability is also located in the direct-pass master password listing section. Attackers can inject
scripts with
loops to mouse-over multiple times the hidden password check listing of the master password. The result is a stable
cash down
of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044)of the trend micro direct-pass software
core.
Exploitation of the vulnerability requires medium user interaction and a low privilege system user account with
direct-pass.
Successful exploitation of the denial of service vulnerability can lead to a software core crash and also stable
software module hangups.
Vulnerable File(s):
[+] InstallWorkspace.exe
Vulnerable Library:
[+] libcef.dll (Dynamic Link Library)
Vulnerable Module(s):
[+] Check Listing (Master Password)
Vulnerable Parameter(s):
[+] Master Password
Proof of Concept:
-----------------
1.1
The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or
high user interaction.
For demonstration or reproduce …
PoC:
B%20>”>../;’[COMMAND|PATH INJECT!]>
Example Path: C:\Users\BKM\TrendMicro DirectPass
Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate
software files and the
bound dynamic link libraries.
1.2
The persistent script code inject vulnerability can be exploited by local attackers with privileged system user account
and medium
or high user interaction. For demonstration or reproduce …
PoC: (Input)
B%20>”<iframe src-a>[PERSISTENT SCRIPT CODE!]
Note: The master password is restricted to 20 chars per field on insert. The execution of persistent injected frames
works also with external source.
1.3
The pointer (DoS) vulnerability can be exploited by local attackers with privileged system user account and low, medium
or high user interaction.
For demonstration or reproduce …
Path: C:\Downloadz\TrendMicro_DP_MUI_Download\Package\Share\UI
Dynamic Link Library: libcef.dll
PoC: (Input)
%20%000000---%000%20
Note: The string crashs the master password check review module and the installworkspace.exe software process via null
pointer (Dos) bug.
The reproduce of the vulnerability can result in a permanent denial of service when the context is saved in the first
instance and the save
has been canceled.
Critical Note: When i was checking the section i was thinking about how to use the injected code in the section to get
access to the stored password.
I was processing to load my debugger and attached it to the process when the request was sucessful and saved the
address.
After it i reproduced the same request with attached debugger and exploited the issue in the local cloud software mask.
Then i was reviewing the changes and was able to use the injected frame test to see the location of the memory in the
debugger.
By processing to inject more and more context i was able to see were the location of the password in the memory has
been stored when the software
is processing to redisplay the saved temp password. Since today i have never seen this kind of method in any book or
paper but i am sure i will
soon write about the incident.
Solution:
---------
Both vulnerabilities can be patched by a secure parse or encode of the master password listing in the master password
check module of the software.
Filter and parse the master password and description security tip input fields.
For the denial of service issue is no solution available yet but the fixes will prevent the manually exploitation of
the issue.
Note: The update is available from the update-server since the 12th may but trend micro says it was the 9th may.
On the 18th we downloaded again the main software direct-pass and tested the core without an update and it was still
vulnerable.
To fix the issue in the software an update from the update-server is required after the install.
Risk:
-----
1.1
The security risk of the local command/path injection software vulnerability in the directpass software core is
estimated as high(-).
1.2
The security risk of the persistent scirpt code inject vulnerability is estimated as medium(+).
1.3
The security risk of the pointer (DoS) software vulnerability is estimated as medium(-).
Credits:
--------
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com)
Disclaimer:
-----------
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such
damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack
into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin () vulnerability-lab com - support () vulnerability-lab com - research ()
vulnerability-lab com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code,
videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record,
list (feed),
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a
permission.
Copyright 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com
