|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=609
|
| |
Vulnerable Systems:
* Trend Micro's PC-Cillin Internet Security 2007
* Tmxpflt.sys version 8.320.1004 and 8.500.0.1002
* (All products using Trend Micro's scan engine such as Trend Micro ServerProtect, Trend Micro OfficeScan are also suspected to be vulnerable.)
This vulnerability specifically exists due to insecure permissions on the "\\.\Tmfilter" DOS device interface. The permissions on this device allow "Everyone" write access. This allows a locally logged-in user to access functionality intended for privileged use only.
Additionally, the IOCTL handler of this DOS device interface for IOCTL 0xa0284403 does not validate the length of attacker-supplied content when copying to a fixed-size buffer. As such, it is possible to execute attacker-supplied code in the context of the kernel.
Exploitation allows an attacker to elevate their privileges by overwriting arbitrary system memory or executing code within kernel context. In order to exploit this vulnerability, an attacker would need the ability to open a handle to the "\\.\Tmfilter" DOS device interface.
Workaround:
Removing write permissions for "Everyone" prevents unprivileged access to the vulnerable code. iDefense confirmed that the virus scanning engine was still able to detect viruses. Although no side effects were witnessed during Lab tests, normal functionality may be disrupted.
Vendor Status:
Trend Micro has addressed this vulnerability with the release of version 8.550-1001 of their scan engine. For more information, visit the following URL.
http://esupport.trendmicro.com/support/viewxml.do?ContentID=1035793
CVE Information:
CVE-2007-4277
Disclosure Timeline:
* 08/06/2007 - Initial vendor notification
* 08/06/2007 - Initial vendor response
* 10/25/2007 - Coordinated public disclosure
|
|
|
|
|
