CVE-2005-3360
CVSS7.2
发布时间 :2005-12-14 15:07:00
修订时间 :2011-03-07 21:26:25
NMCOPS    

[原文]The installation of Trend Micro PC-Cillin Internet Security 2005 12.00 build 1244, and probably previous versions, uses insecure default ACLs, which allows local users to cause a denial of service (disabled service) and gain system privileges by modifying or moving critical program files.


[CNNVD]Trend Micro 多个产品本地不安全许可漏洞(CNNVD-200512-276)

        Trend Micro PC-Cillin Internet Security 2005 12.00 build 1244以及可能的之前版本在安装中使用不安全的默认ACL,远程攻击者可以通过修改或移动关键程序文件发起拒绝服务攻击(服务禁用)和获取系统权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3360
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3360
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-276
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=351&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051214 Trend Micro PC-Cillin Internet Security Insecure File Permission Vulnerability
http://www.vupen.com/english/advisories/2005/2906
(UNKNOWN)  VUPEN  ADV-2005-2906
http://www.securityfocus.com/bid/15872
(UNKNOWN)  BID  15872
http://securitytracker.com/id?1015357
(UNKNOWN)  SECTRACK  1015357
http://secunia.com/advisories/18044
(UNKNOWN)  SECUNIA  18044

- 漏洞信息

Trend Micro 多个产品本地不安全许可漏洞
高危 设计错误
2005-12-14 00:00:00 2005-12-14 00:00:00
本地  
        Trend Micro PC-Cillin Internet Security 2005 12.00 build 1244以及可能的之前版本在安装中使用不安全的默认ACL,远程攻击者可以通过修改或移动关键程序文件发起拒绝服务攻击(服务禁用)和获取系统权限。

- 公告与补丁

        

- 漏洞信息 (F42307)

iDEFENSE Security Advisory 2005-12-14.1 (PacketStormID:F42307)
2005-12-15 00:00:00
iDefense Labs  idefense.com
advisory,local,vulnerability
CVE-2005-3360
[点击下载]

iDEFENSE Security Advisory 12.14.05 - Local exploitation of an insecure permission vulnerability in multiple Trend Micro Inc. products allows attackers to escalate privileges or disable protection. The vulnerabilities specifically exist in the default Access Control List (ACL) settings that are applied during installation. When an administrator installs an affected Trend Micro product, the default ACL allows any user to modify the installed files. Due to the fact that some of the programs run as system services, a user could replace an installed Trend Micro product file with their own malicious code, and the code would be executed with system privileges. iDefense has confirmed the existence of this vulnerability in Trend Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is suspected that previous versions are also vulnerable. It has been reported that InterScan VirusWall, InterScan eManager and Office Scan are also vulnerable.

Trend Micro PC-Cillin Internet Security Insecure File Permission 
Vulnerability

iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=351&type=vulnerabilities
December 14, 2005

I. BACKGROUND

Trend Micro PC-Cillin Internet Security is antivirus protection software
for home and business use. It provides complete protection, detection
and elimination of thousands of computer viruses, worms, and Trojan
Horse programs.

II. DESCRIPTION

Local exploitation of an insecure permission vulnerability in multiple
Trend Micro Inc. products allows attackers to escalate privileges or
disable protection.

The vulnerabilities specifically exist in the default Access Control
List (ACL) settings that are applied during installation. When an
administrator installs an affected Trend Micro product, the default ACL
allows any user to modify the installed files. Due to the fact that some
of the programs run as system services, a user could replace an
installed Trend Micro product file with their own malicious code, and
the code would be executed with system privileges.

III. ANALYSIS

Successful exploitation allows local attackers to escalate privileges to
the system level. It is also possible to use this vulnerability to
simply disable protection by moving all of the executable files so that
they cannot start upon a reboot. Once disabled, the products are no
longer able to provide threat mitigation, thus opening the machine up to
attack.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend
Micro PC-Cillin Internet Security 2005 version 12.00 build 1244. It is
suspected that previous versions are also vulnerable. It has been
reported that InterScan VirusWall, InterScan eManager and Office Scan
are also vulnerable.

V. WORKAROUND

Apply proper Access Control List settings to the directory that the
affected Trend Micro product is installed in. The ACL rules be set so
that no regular users can modify files in the directory.

VI. VENDOR RESPONSE

"Trend Micro has become aware of a vulnerability related to PC-CILLIN
12. PC-cillin12 does not work correctly when configuration file and the
registry are erased intentionally.

We will release PC-cillin12.4 in December 14, 2005 by AU server. This
release will be included short term solution of changing ACL to User
authority for configuration file and registry.

And

We will create a tool for changing ACL to User authority for
configuration file and registry.

This tool can be used for both PC-cillin12 and PC-cillin14 as a same
program."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3360 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

10/27/2005 Initial vendor notification
10/27/2005 Initial vendor response
12/14/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright     

- 漏洞信息

21769
Trend Micro PC-cillin Internet Security Installation File Permission Privilege Escalation
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2005-12-14 2005-10-27
Unknow Unknow

- 解决方案

Upgrade to version PC-cillin12.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Trend Micro Multiple Products Local Insecure Permissions Vulnerability
Design Error 15872
No Yes
2005-12-14 12:00:00 2006-03-22 05:24:00
The initial discoverer of this issue wishes to remain anonymous. It was disclosed in the referenced iDefense advisory. Dominique GREGOIRE provided information on further products and versions that are affected.

- 受影响的程序版本

Trend Micro PC-Cillin Internet Security 2006 14.10 .1023
Trend Micro PC-Cillin Internet Security 2005 12.0 0 build 1244
Trend Micro PC-Cillin Internet Security 14 14.0.1485
Trend Micro InterScan Messaging Security Suite 5.5 .1183
Trend Micro InterScan Messaging Security Suite 5.5

- 漏洞讨论

Multiple Trend Micro products are susceptible to a local insecure-permissions vulnerability. This issue is due to the applications' failure to ensure that secure permissions are applied to their application and data files.

This issue allows local unprivileged attackers to disable the security features of the affected application, aiding them in further attacks. Attackers may also overwrite arbitrary binaries that will subsequently be executed with SYSTEM-level privileges facilitating the complete compromise of affected computers.

Trend Micro PC-Cillin Internet Security versions 2005 (12.00.1244), 14 (14.00.1485) and 2006 (14.10.0.1023) are affected. Trend Micro InterScan Messaging Security Suite (IMSS) version 5.5 build 1183 is also affected. Other products and versions may also be affected.

- 漏洞利用


An exploit is not required.

A proof of concept (TmPfw_poc) has been provided by Gerhard Wagner <gerhard.wagner@fh-hagenberg.at>.

Please replace the TmPfw.exe file with an arbitrary executable, since Symantec isn't adding the shell code included in the proof of concept.

- 解决方案

A fix from the vendor is currently pending release. Contact the vendor for further information.

Reportedly, version 5.7.0.1121 of InterScan Messaging Security Suite is not affected by this issue. This has not been confirmed.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站