ShineShadow Security Report 28092009-10 TITLE Local privilege escalation vulnerability in Trustport security software BACKGROUND TrustPort is a major producer of software solutions for secure communication and reliable data protection. TrustPort products are characterized by a comprehensive approach to security of both computers and computer networks, protecting against known threats, whilst effectively facing new dangers. They excel in several security areas including antivirus technology, antispam methods, and encryption technology. Source: http://www.trustport.com VULNERABLE PRODUCTS TrustPort Antivirus 2.8.0.2265 TrustPort Antivirus Business 2.8.0.2265 TrustPort PC Security 2.0.0.1290 TrustPort PC Security Business 2.0.0.1290 Previous versions may also be affected DETAILS Trustport installs the own program files with insecure permissions (Everyone - Full Control). Local attacker (unprivileged user) can replace some files (including executable files of Trustport services) by malicious files and execute arbitrary code with SYSTEM privileges. EXPLOITATION This is local privilege escalation vulnerability. An attacker must have valid logon credentials to a system where vulnerable software is installed. WORKAROUND Trustport has addressed this vulnerability by releasing fixed versions of the vulnerable products: TrustPort Antivirus 2.8.0.2266 TrustPort Antivirus Business 2.8.0.2266 TrustPort PC Security 2.0.0.1291 TrustPort PC Security Business 2.0.0.1291 You can download it from the vendor website: http://www.trustport.com/en/download DISCLOSURE TIMELINE 16/08/2009 Initial vendor notification 17/08/2009 Vendor response 17/08/2009 Vulnerability details sent 18/08/2009 Vendor response that this security problem is known and will be solved in the next version of product 18/08/2009 Query for full list of the vulnerable software and planned release date of the fix. No reply. 24/08/2009 Resend query. 25/08/2009 Vendor provided requested information 09/09/2009 Vendor released the fixed versions of products 10/09/2009 I notified vendor that the vulnerability has not been fixed. The released update only mitigated vulnerability but did not remove it. 11/09/2009 Vendor agreed and promised to release new fix as soon as possible 24/09/2009 Vendor released new fixed versions of his products 28/09/2009 Advisory released CREDITS Maxim A. Kulakov (aka ShineShadow) ss_contacts[at]hotmail.com
