Vigil@nce: Trend Micro IS, privilege elevation via tmactmon.sys
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use METHOD_NEITHER to elevate his privileges
via Trend Micro Internet Security.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: multiples sources (3/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 31/03/2009
IMPACTED PRODUCTS
– Trend Micro Internet Security
DESCRIPTION OF THE VULNERABILITY
The tmactmon.sys (TrendMicro Activity Monitor) driver is installed
by Trend Micro Internet Security, and is reachable by all users
via \Device\tmactmon.
The NtDeviceIoControlFile() function is used to attach to a
driver. Its IoControlCode parameter indicates the input/output
mode:
– METHOD_BUFFERED, METHOD_IN_DIRECT, METHOD_OUT_DIRECT : uses an
IRP buffer
– METHOD_NEITHER : directly uses virtual memory addresses
When the METHOD_NEITHER mode is used, the driver has to check
memory addresses.
However, tmactmon.sys does not check addresses. An attacker can
therefore use as input a malicious buffer, and as output a kernel
memory address. His malicious data are thus written to the
privileged kernel address by the driver.
A local attacker can therefore use METHOD_NEITHER to elevate his
privileges via Trend Micro Internet Security.
CHARACTERISTICS
Identifiers: CVE-2009-0686, Positive Technologies SA 2009-09,
PT-2009-09, VIGILANCE-VUL-8578
http://vigilance.fr/vulnerability/Trend-Micro-IS-privilege-elevation-via-tmactmon-sys-8578