Trend Micro Products Multiple Local Privilege Escalation Vulnerabilities Discovered by: Rubén Santamarta <ruben@xxxxxxxxxxxxxxx> Affected products: Client / Server / Messaging Security for SMB – 3.5 PC-cillin Internet Security - 2007, Trend Micro AntiVirus – 2007 Trend Micro Anti-Spyware for SMB – 3.2 Trend Micro Anti-Spyware for Enterprise – 3.0 Trend Micro Anti-Spyware for Consumer - 3.5 TmComm.sys is exposed through the following Dos Device:“\\.\TmComm”. Any logged user can take advantage of the weak permissions applied on this device in order to execute arbitrary code with elevated privileges. DosDevice: \\.\TmComm Driver: tmcomm.sys Version: 1.5.0.1052 .data:0001BE24 dd 9000402Bh ; IOCTL #1 .data:0001BE28 dd offset sub_134B8 ; local dispatcher #1 .data:0001BE2C dd 9000402Fh ; IOCTL #2 .data:0001BE30 dd offset sub_1352C ; local dispatcher #2 .data:0001BE34 dd 90004027h ; IOCTL #3 .data:0001BE38 dd offset sub_135A0 ; local dispatcher #3 .data:0001BE3C dd 0FFFFFFFFh ; Table End. Each IOCTL has an internal command table associated. i.e Local dispatcher routine #1 - IOCTL 0x9000402B DosDevice: \\.\TmComm Driver: tmcomm.sys Version: 1.5.0.1052 .text:000134D9 cmp dword ptr [ecx], 4Ch ; Input Buffer length .text:000134DC jnz short loc_1351B .text:000134DE cmp dword ptr [ecx+4], 4Ch ; Output Buffer length .text:000134E2 jnz short loc_1351B .text:000134E2 jnz short loc_1351B .text:000134E4 xor ecx, ecx .text:000134E6 cmp off_1BEDC, ecx .text:000134EC jz short loc_13520 .text:000134EE mov edx, [esi] ; int .text:000134F0 loc_134F0: ; CODE XREF: sub_134B8+54#j .text:000134F0 cmp dword_1BED8[ecx*8], edx .text:000134F7 jnz short loc_13503 .text:000134F9 cmp off_1BEDC[ecx*8], 0 .text:00013501 jnz short loc_13510 .text:00013503 loc_13503: ; CODE XREF: sub_134B8+3F#j .text:00013503 inc ecx ; ;InternalCommandIndex .text:00013504 cmp off_1BEDC[ecx*8], 0 .text:0001350C jnz short loc_134F0 .text:0001350E jmp short loc_13520 .text:00013510 ; --------------------------------------------------------------------------- .text:00013510 .text:00013510 loc_13510: ; CODE XREF: sub_134B8+49#j .text:00013510 push edi ; int .text:00013511 push esi ; int .text:00013512 call off_1BEDC[ecx*8] ; IOCTL_1[InternalCommandIndex*8] Let's see the table : DosDevice: \\.\TmComm Driver: tmcomm.sys Version: 1.5.0.1052 .data:0001BED8 dd 2713h ; Internal Command Code #1.1 .data:0001BEDC dd offset sub_13456 ; Routine Associated #1.1 .data:0001BEE0 dd 2711h ; ... .data:0001BEE4 dd offset dword_13320+2 .data:0001BEE8 dd 2710h .data:0001BEEC dd offset sub_13288 .data:0001BEF0 dd 2712h .data:0001BEF4 dd offset sub_133BE .data:0001BEF8 dd 0FFFFFFFFh ; Table End These IOCTLs are generated as METHOD_NEITHER, since the driver is not sanitizing any pointer embedded within user-mode buffers there are dozens of ways for executing arbitrary code in Ring0. Exploits: No exploits are released. Ethical security companies can contact for requesting samples : contact@xxxxxxxxxxxxxxx References: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469 [PDF]http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=45