Search This Blog

Monday, October 29, 2007

[NT] Trend Micro Tmxpflt.sys IOCTL 0xa0284403 Buffer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Trend Micro Tmxpflt.sys IOCTL 0xa0284403 Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

The <http://www.trendmicro.com/> Trend Micro AntiVirus scan engine
provides AntiVirus capabilities to desktop, server, and gateway systems.
The engine is licensed to several of Trend Micro's OEM partners.

Local exploitation of a buffer overflow vulnerability within Tmxpflt.sys,
as included with Trend Micro Inc.'s AntiVirus engine, could allow an
attacker to execute arbitrary code in kernel context.

DETAILS

Vulnerable Systems:
* Trend Micro's PC-Cillin Internet Security 2007
* Tmxpflt.sys version 8.320.1004 and 8.500.0.1002
* (All products using Trend Micro's scan engine such as Trend Micro
ServerProtect, Trend Micro OfficeScan are also suspected to be
vulnerable.)

This vulnerability specifically exists due to insecure permissions on the
"\\.\Tmfilter" DOS device interface. The permissions on this device allow
"Everyone" write access. This allows a locally logged-in user to access
functionality intended for privileged use only.

Additionally, the IOCTL handler of this DOS device interface for IOCTL
0xa0284403 does not validate the length of attacker-supplied content when
copying to a fixed-size buffer. As such, it is possible to execute
attacker-supplied code in the context of the kernel.

Exploitation allows an attacker to elevate their privileges by overwriting
arbitrary system memory or executing code within kernel context. In order
to exploit this vulnerability, an attacker would need the ability to open
a handle to the "\\.\Tmfilter" DOS device interface.

Workaround:
Removing write permissions for "Everyone" prevents unprivileged access to
the vulnerable code. iDefense confirmed that the virus scanning engine was
still able to detect viruses. Although no side effects were witnessed
during Lab tests, normal functionality may be disrupted.

Vendor Status:
Trend Micro has addressed this vulnerability with the release of version
8.550-1001 of their scan engine. For more information, visit the following
URL.
<http://esupport.trendmicro.com/support/viewxml.do?ContentID=1035793>

http://esupport.trendmicro.com/support/viewxml.do?ContentID=1035793

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4277>
CVE-2007-4277

Disclosure Timeline:
* 08/06/2007 - Initial vendor notification
* 08/06/2007 - Initial vendor response
* 10/25/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=609>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=609

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: