TrendMicro versagt auf voller Linie
Posted 01/13/2016 at 14:44 by MrDami123
TrendMicro node.js HTTP server listening on localhost can execute commands
Quote:
When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.
This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.
It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
This means any website can launch arbitrary commands, like this:
x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};
(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.
It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
This means any website can launch arbitrary commands, like this:
x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};
(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
Total Comments 0
