A vulnerability in Trend Micro’s Password Manager could be exploited to run programs with the permissions of the most privileged account on a Windows system.
An attacker already on the computer could exploit the vulnerability to run with SYSTEM privileges an arbitrary, unsigned DLL file within a trusted process.
This would benefit an adversary because they could execute malicious payloads and evade detection.
Trend Micro’s password management tool is available as standalone software and it is also integrated with the vendor’s antivirus versions for consumers Premium and Maximum Security 2019.
No checks for loading DLL
Peleg Hadar of SafeBreach found that the weakness was caused by the “Trend Micro Password Manager Central Control Service” (PwmSvc.exe), which starts a chain reaction that involves looking for a DLL that is not present on the system (tmtap.dll).
Among the search locations for the absent file are system folders as well as a c:/python27, which allowed exploitation.
“As you can see, the service was trying to load a missing DLL file, which eventually was loaded from the c:python27 directory – a directory within our PATH environment variable,” Hadar says.
To test against privilege escalation, Hadar compiled an unsigned DLL that wrote to a text file the name of the process loading it, the username that executed it, and the name of the DLL file.
As the image below shows, the test was a success as the DLL ran with SYSTEM privileges within a trusted (signed) Trend Micro process.
This would also ensure persistence of a malicious executable file on a system with a vulnerable version of Trend Micro Password Manager. This would happen because the payload would execute every time the PwmSvc.exe service loads.
The security researcher pinned the vulnerability (CVE-2019-14684) to the lack of mechanisms that verify that the loaded binaries are signed and loaded from a controlled path.
Trend Micro received a report for a similar DLL hijacking flaw, identified as CVE-2019-14687, in the same application.
This second bug was discovered by Trần Văn Khang of Infiniti Team – VinCSS, and exploitation involved a different DLL, the antivirus maker informs in an advisory.
Trend Micro’s password manager supports automatic updates and users that have the feature enabled should have already received the patch. If this is not the case, a manual check should do the trick.