Trend Micro password manager had remote command execution holes and dumped data to anyone: Project Zero

A password management tool installed by default alongside Trend Micro AntiVirus was found vulnerable to remote code execution thanks to the work of Google's Project Zero security team.

Discovered by Project Zero's Tavis Ormandy, the password tool was built using JavaScript and node.js, and started a local web server that would listen, without using a whitelist or same origin policy, for API commands.

"It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute()," Ormandy wrote.

"It's even possible to bypass MOTW [Mark of the Web], and spawn commands without any prompts whatsoever."

According to the security researcher, even after Trend Micro issued an initial fix, the product still exposed nearly 70 API calls to the internet.

"I happened to notice that the /api/showSB endpoint will spawn an ancient build of Chromium (version 41) with --disable-sandbox. To add insult to injury, they append '(Secure Browser)' to the UserAgent.", Ormandy said.

"I sent a mail saying 'That is the most ridiculous thing I've ever seen'."

"I don't even know what to say -- how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?"

Ormandy also noted that the password manager was able to dump to an attacker all passwords stored within it.

"Anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this," Ormandy said to the security vendor.

Eventually, Trend Micro added an origin check for commands and whitelisted the pwm.trendmicro.com domain, which Ormandy said should work, provided the domain was not vulnerable to cross-site scripting vulnerabilities.

The security vendor also fell into the same trap that Lenovo with Superfish and Dell with eDellRoot fell into: adding a self-signed certificate into the local machine's certificate store.

"TrendMicro helpfully adds a self-signed https certificate for localhost to the trust store, so you don't need to click through any security errors," Ormandy said.

Google began Project Zero in July 2014 with the stated goal of improving security across the internet.