vulnerability bulletin CVE-2009-0686

Trend Micro IS: privilege elevation via tmactmon.sys

Synthesis of the vulnerability

A local attacker can use METHOD_NEITHER to elevate his privileges via Trend Micro Internet Security.
Impacted products: Trend Micro Internet Security.
Severity: 2/4.
Creation date: 31/03/2009.
Identifiers: CVE-2009-0686, Positive Technologies SA 2009-09, PT-2009-09, VIGILANCE-VUL-8578.

Description of the vulnerability

The tmactmon.sys (TrendMicro Activity Monitor) driver is installed by Trend Micro Internet Security, and is reachable by all users via \Device\tmactmon.

The NtDeviceIoControlFile() function is used to attach to a driver. Its IoControlCode parameter indicates the input/output mode:
 - METHOD_BUFFERED, METHOD_IN_DIRECT, METHOD_OUT_DIRECT : uses an IRP buffer
 - METHOD_NEITHER : directly uses virtual memory addresses
When the METHOD_NEITHER mode is used, the driver has to check memory addresses.

However, tmactmon.sys does not check addresses. An attacker can therefore use as input a malicious buffer, and as output a kernel memory address. His malicious data are thus written to the privileged kernel address by the driver.

A local attacker can therefore use METHOD_NEITHER to elevate his privileges via Trend Micro Internet Security.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

          

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities patch. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.