Trend Micro Security 16 - DLL Search-Order Hijacking and Potential Abuses (CVE-2019-15628)
December 2nd, 2019
Peleg Hadar
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a new vulnerability in Trend Micro Maximum Security (2019/2020) software.
In this post, we will demonstrate how this vulnerability could be used in order to achieve defense evasion, self-defense bypass, persistence and in some cases privilege escalation by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.
Trend Micro Maximum Security provides comprehensive protection for different devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft.
Some parts of the software run as:
In this post, we describe the vulnerability we found in the Trend Micro Maximum Security 2019 and 2020 editions.
We then demonstrate how this vulnerability can be exploited to achieve defense evasion, persistence and in some cases privilege escalation, gaining access with NT AUTHORITY\SYSTEM level privileges.
In our initial exploration of the software, we targeted the Trend Micro Solution Platform service (Amsp) (coreServiceShell.exe) because of the following reasons:
In our exploration, we found that these services were started as signed processes and executed as NT AUTHORITY\SYSTEM.
Once executed, we noticed an interesting behavior:
As you can see, the service was trying to load a missing DLL file from different directories within the PATH environment variable.
On our VM, Python 2.7 is installed. The c:\python27 has an ACL which allows any authenticated user to write files onto the ACL. This makes privilege escalation simple, allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITY\SYSTEM.
It is important to note that an administrative user or process must (1) set the directory ACLs to allow access to non-admin user accounts, and (2) modify the system’s PATH variable to include that directory. This can be done by different applications.
In order to test this privilege escalation vulnerability, we compiled an unsigned DLL which writes the following to the filename of a txt file once the DLL is loaded:
We were able to load an arbitrary DLL as a regular user and execute our code within multiple processes which are signed by Bitdefender as NT AUTHORITY\SYSTEM.
Once the “Trend Micro Solution Platform” service (coreServiceShell.exe) is started, the paCoreProductAdaptor.dll library is loaded.
The “paCoreProductAdaptor.dll” library tries to load the “utilUniClient.dll” library by calling LoadLibraryExW with the LOAD_WITH_ALTERED_SEARCH_PATH flag. The standard search begins in the calling application's directory, and the alternate search begins in the directory of the executable module that LoadLibraryEx is loading.
There are two root causes for this vulnerability:
Below we show three possible ways that an attacker can leverage the CVE-2019-15628 vulnerability that we discovered and documented above.
The antivirus has a self-defense mechanism which prevents an attacker from tampering with its processes and files. Part of the mechanism is to use a mini-filter driver to monitor and prevent any changes to the directories of the antivirus application, so an attacker could not implant an arbitrary DLL, for example.
The vulnerability allows an attacker to bypass this part of the mechanism and load an arbitrary DLL into the antivirus process.
The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the service is loaded. That means that once the attacker drops a malicious DLL in a vulnerable path, the service will load the malicious code each time it is restarted.
In certain conditions, the service provides an attacker with the ability to operate as NT AUTHORITY\SYSTEM.
Trend Micro Security 16.0.1221 and below
Patched Version: Trend Micro Security 16.0.1227
July 23th, 2019 - Vulnerability reported to Trend Micro
July 24th, 2019 - Initial response from Trend Micro
Aug 14th, 2019 - Status Update from Trend Micro
Aug 28th, 2019 - Trend Micro confirmed the vulnerability
Sep 18th, 2019 - Status Update from Trend Micro
Oct 2nd, 2019 - Status Update from Trend Micro
Oct 7th, 2019 - Status Update from Trend Micro
Oct 14th, 2019 - Trend Micro asked for more time (because of our 90-days disclosure policy)
Oct 14th, 2019 - SafeBreach agreed to wait.
Nov 15th, 2019 - Trend Micro provided a list of affected products and said that they will publish the fix to the customers on November 21st.
Nov 19th - Trend Micro issued CVE-2019-15628 and said that they will release an advisory on November 25th.
Nov 25th - Trend Micro released a security advisory[1]
[1] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124011.aspx