[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
[+] ISR: ApparitionSec
[Vendor]
www.trendmicro.com
[Product]
Trend Micro Security 2019 (Consumer) Multiple Products
Trend Micro Security provides comprehensive protection for your
devices.
This includes protection against ransomware, viruses, malware,
spyware, and identity theft.
[Vulnerability Type]
Security Bypass Protected Service Tampering
[CVE Reference]
CVE-2019-19697
[Security Issue]
Trend Micro Maximum Security is vulnerable to arbitrary code
execution as it allows for creation of registry key to target a
process running as SYSTEM.
This can allow a malware to gain elevated privileges to take over
and shutdown services that require SYSTEM privileges like Trend
Micros "Asmp"
service "coreServiceShell.exe" which does not allow Administrators
to tamper with them.
This could allow an attacker or malware to gain elevated
privileges and tamper with protected services by disabling or
otherwise preventing them to start.
Note administrator privileges are required to exploit this
vulnerability.
[CVSS 3.0 Scores: 3.9]
[Affected versions]
Platform Microsoft Windows
Premium Security 2019 (v15)
Maximum Security 2019 (v15)
Internet Security 2019 (v15)
Antivirus + Security 2019 (v15)
[References]
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx
[Exploit/POC]
1) Create a entry for the following registry key targeting
"PtWatchdog.exe" and set the debugger string value to an arbitrary
executable to gain SYSTEM privs.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe
2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM.
3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service
[Network Access]
Local
[Severity]
Low
[Disclosure Timeline]
Vendor Notification: October 8, 2019
Vendor confirms issue: October 28, 2019
Vendor release date: January 14, 2020
January 16, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or
otherwise.
Permission is hereby granted for the redistribution of this
advisory, provided that it is not altered except by reformatting
it, and
that due credit is given. Permission is explicitly given for
insertion in vulnerability databases and similar, provided that due
credit
is given to the author. The author is not responsible for any
misuse of the information contained herein and accepts no
responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related
information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
