[NT] Trend Micro TmComm Local Privilege Escalation Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Trend Micro TmComm Local Privilege Escalation Vulnerability
------------------------------------------------------------------------


SUMMARY

The <http://www.trendmicro.com/> Trend Micro AntiVirus scan engine is
widely relied upon to provide AntiVirus capabilities to desktop, server,
and gateway systems. The engine is licensed to several of Trend Micro's
OEM partners.

Exploitation of the vulnerability allows an attacker to elevate privileges
by overwriting arbitrary system memory or executing code within kernel
context.

DETAILS

Vulnerable Systems:
* Trend Micro's PC-Cillin Internet Security 2007
* TmComm.sys version 1.5.0.1052
* VsapiNI.sys (scan engine) version 3.320.0.1003
* (All products using Trend Micro's scan engine should be considered
vulnerable.)

Local exploitation of an input validation vulnerability within version
1.5.0.1052 of TmComm.sys as included with Trend Micro's AntiVirus engine
could allow an attacker execute arbitrary code in kernel context.

This vulnerability specifically exists due to insecure permissions on the
\\.\TmComm DOS device interface. The permissions on this device allows
"Everyone" write access. This could allow a locally logged in user to
access functionality via IOCTLs which was designed for privileged use
only.

Additionally, the IOCTL handlers for this DOS device interface do not
validate addresses passed to them. As such, it is possible to overwrite
arbitrary memory or execute attacker-supplied code in the context of the
kernel (RING 0).

Workaround:
Removing write permissions for "Everyone" appears to prevent access to the
vulnerable code. iDefense confirmed that the virus scanning engine was
still able to detect viruses. Although no side effects were witnessed in
Lab tests, normal functionality may be hindered.

Vendor Status:
"To address this vulnerability, Trend Micro recommends to customers to
update their Anti-Rootkit Common Module to version 1.600-1052.

Products that are set to Automatic Update will be updated immediately.
Manual Updating can also be performed by using the product's Update Now
function."

<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432> http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034432&id=EN-1034432

Disclosure Timeline:
* 01/17/2007 - Initial vendor notification
* 01/19/2007 - Initial vendor response
* 02/07/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=469



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages