Trend Micro DLL Hijacking
Posted on 31 December 2015
Hi @ll, TrendMicro_MAX_10.0_US-en_Downloader.exe (available from <http://trial.trendmicro.com/US/TM/2016/TrendMicro_MAX_10.0_US-en_Downloader.exe>) loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs too) eventually found in the directory it is started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as ProfAPI.dll; 2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it in your "Downloads" directory; 3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! For a denial of service instead of arbitrary (remote) code execution copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv. This is easily turned into arbitrary (remote) code execution too: just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW respectively LresultFromObject and CreateStdAccessibleObject to the DLL. See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details about this well-known and well-documented BEGINNER'S error and why executable installers (and self-extractors too) are bad. Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an unsafe temporary directory where it unpacks its payload to and executes it from. ...TrendMicro_MAX_10.0_US-en_DownloaderAgentTisEzIns.exe loads and executes multiple DLLs too from its unsafe application directory: ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a 7-Zip self-extractor) into an arbitrary directory, say "%TEMP%" (this creates a subdirectory "%TEMP%Agent" with the payload); 6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%Agent", then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll there; 7. execute "%TEMP%AgentTisEZIns.exe"; 8. notice the message boxes displayed from the DLLs placed in steps 5 and 6. PWNED! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-12-20 multiple reports sent to vendor 2015-12-20 one report bounced due to braindead mail setup by vendor 2015-12-20 resent bounced report via alternative provider 2015-12-21 vendor acknowledges receipt and names further contact 2015-12-28 vendor verifies reports, can reproduce it on Windows 7 2015-12-30 vendor asks for verification: "We did not reproduce the vulnerability relating to ProfAPI.dll and UXTheme.dll on Windows 7." 2015-12-31 sent verification to vendor 2015-12-31 bounced due to braindead mail setup by vendor <GCC_CONSRECEIVE@support.trendmicro.com>: host support.trendmicro.com.e0018.g0009.ng0090.im.emailsecurity.trendmicro.com[150.70.178.57] said: 554 5.7.1 <GCC_CONSRECEIVE@support.trendmicro.com>: Recipient address rejected: ERS-RBL. (in reply to RCPT TO command) <tm-csirt@trendmicro.com>: host sjdc-itpf-04.udc.trendmicro.com[66.180.82.132] said: 550 5.7.1 Service unavailable; Client host [151.189.21.43] blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=151.189.21.43; Mail from 151.189.21.43 blocked using Trend Micro Email Reputation database. Please see <http://www.mail-abuse.com/cgi-bin/lookup?151.189.21.43>; from=<<stefan.kanthak@nexgo.de> ; SIZE=8184> to=<<tm-csirt@trendmicro.com> ; ORCPT=rfc822;tm-csirt@trendmicro.com> proto=ESMTP helo=<mail-in-03.arcor-online.net> (in reply to end of DATA command) 2015-12-31 report published: vendor is obviously not interested in communication
