Trend Micro Security 16 - DLL Search-Order Hijacking and Potential Abuses (CVE-2019-15628)

December 2nd, 2019

Peleg Hadar

Security Researcher, SafeBreach Labs

Introduction

SafeBreach Labs discovered a new vulnerability in Trend Micro Maximum Security (2019/2020) software.

In this post, we will demonstrate how this vulnerability could be used in order to achieve defense evasion, self-defense bypass, persistence and in some cases privilege escalation by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.

Trend Micro Maximum Security

Trend Micro Maximum Security provides comprehensive protection for different devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft.

Some parts of the software run as:

1. A Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions
2. Non-PPL processes which allow an attacker to load unsigned code, because the CIG (Code Integrity Guard) mechanism is not enforced

In this post, we describe the vulnerability we found in the Trend Micro Maximum Security 2019 and 2020 editions.

We then demonstrate how this vulnerability can be exploited to achieve defense evasion, persistence and in some cases privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.

Discovery

In our initial exploration of the software, we targeted the Trend Micro Solution Platform service (Amsp) (coreServiceShell.exe) because of the following reasons:

• It runs as NT AUTHORITY\SYSTEM - the most privileged user account. This kind of service might be exposed to a user-to-SYSTEM privilege escalation, which is very powerful and useful to an attacker.
• The executable of the service is signed by Trend Micro and if the hacker finds a way to execute code within this process, it can be used as an application whitelisting bypass which can lead to security product evasion.
• This service automatically starts once the computer boots, which means that it’s a potential target for an attacker to be used as a persistence mechanism.
• Despite the fact that it’s an antivirus, this service run as a non-PPL, which means that CIG (Code Integrity Guard) is not enforced, so unsigned code-loading is possible into these processes.

In our exploration, we found that these services were started as signed processes and executed as NT AUTHORITY\SYSTEM.

Once executed, we noticed an interesting behavior:

As you can see, the service was trying to load a missing DLL file from different directories within the PATH environment variable.

PoC Demonstration

On our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.

It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.

In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:

• The name of the process which loaded it
• The username which executed it
• The name of the DLL file

We were able to load an arbitrary DLL as a regular user and execute our code within multiple processes which are signed by Bitdefender as NT AUTHORITY\SYSTEM.

Root Cause Analysis

Once the “Trend Micro Solution Platform” service (coreServiceShell.exe) is started, the paCoreProductAdaptor.dll library is loaded.

The “paCoreProductAdaptor.dll” library tries to load the “utilUniClient.dll” library by calling LoadLibraryExW with the LOAD_WITH_ALTERED_SEARCH_PATH flag. The standard search begins in the calling application's directory, and the alternate search begins in the directory of the executable module that LoadLibraryEx is loading.

There are two root causes for this vulnerability:

• The lack of safe DLL loading due to having an uncontrolled search path. In this case, it is necessary to use the SetDefaultDllDirectories or AddDllDirectory functions in order to control the paths from which a DLL can be loaded within the scope of the executable.
• No digital certificate validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.

Potential Malicious Uses and Impact

Below we show three possible ways that an attacker can leverage the CVE-2019-15628 vulnerability that we discovered and documented above.

Self-Defense Bypass

The antivirus has a self-defense mechanism which prevents an attacker from tampering with its processes and files. Part of the mechanism is to use a mini-filter driver to monitor and prevent any changes to the directories of the antivirus application, so an attacker could not implant an arbitrary DLL, for example.

The vulnerability allows an attacker to bypass this part of the mechanism and load an arbitrary DLL into the antivirus process.

Signed Execution and Whitelisting Bypass

The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.

Persistence Mechanism

The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.

Privilege Escalation

In certain conditions, the service provides an attacker with the ability to operate as NT AUTHORITY\SYSTEM.

Affected Versions

Trend Micro Security 16.0.1221 and below

Patched Version: Trend Micro Security 16.0.1227

Timeline

July 23th, 2019 - Vulnerability reported to Trend Micro

July 24th, 2019 - Initial response from Trend Micro

Aug 14th, 2019 - Status Update from Trend Micro

Aug 28th, 2019 - Trend Micro confirmed the vulnerability

Sep 18th, 2019 - Status Update from Trend Micro

Oct 2nd, 2019 - Status Update from Trend Micro

Oct 7th, 2019 - Status Update from Trend Micro

Oct 14th, 2019 - Trend Micro asked for more time (because of our 90-days disclosure policy)

Oct 14th, 2019 - SafeBreach agreed to wait.

Nov 15th, 2019 - Trend Micro provided a list of affected products and said that they will publish the fix to the customers on November 21st.

Nov 19th - Trend Micro issued CVE-2019-15628 and said that they will release an advisory on November 25th.

Nov 25th - Trend Micro released a security advisory[1]

References

[1] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124011.aspx