Freely subscribe to our NEWSLETTER

SYNTHESIS OF THE VULNERABILITY

A local attacker can use METHOD_NEITHER to elevate his privileges
via Trend Micro Internet Security.

Severity: 2/4

Consequences: administrator access/rights

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: multiples sources (3/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 31/03/2009

IMPACTED PRODUCTS

– Trend Micro Internet Security

DESCRIPTION OF THE VULNERABILITY

The tmactmon.sys (TrendMicro Activity Monitor) driver is installed
by Trend Micro Internet Security, and is reachable by all users
via \Device\tmactmon.

The NtDeviceIoControlFile() function is used to attach to a
driver. Its IoControlCode parameter indicates the input/output
mode:
– METHOD_BUFFERED, METHOD_IN_DIRECT, METHOD_OUT_DIRECT : uses an
IRP buffer
– METHOD_NEITHER : directly uses virtual memory addresses
When the METHOD_NEITHER mode is used, the driver has to check
memory addresses.

However, tmactmon.sys does not check addresses. An attacker can
therefore use as input a malicious buffer, and as output a kernel
memory address. His malicious data are thus written to the
privileged kernel address by the driver.

A local attacker can therefore use METHOD_NEITHER to elevate his
privileges via Trend Micro Internet Security.

CHARACTERISTICS

Identifiers: CVE-2009-0686, Positive Technologies SA 2009-09,
PT-2009-09, VIGILANCE-VUL-8578

http://vigilance.fr/vulnerability/Trend-Micro-IS-privilege-elevation-via-tmactmon-sys-8578