Vulnerabilities > CVE-2007-0856 - Local Privilege Escalation vulnerability in Trend Micro AntiVirus Scan Engine TMComm

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
trend-micro
nessus

Summary

TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (RCM), with the VsapiNI.sys 3.320.0.1003 scan engine, as used in Trend Micro PC-cillin Internet Security 2007, Antivirus 2007, Anti-Spyware for SMB 3.2 SP1, Anti-Spyware for Consumer 3.5, Anti-Spyware for Enterprise 3.0 SP2, Client / Server / Messaging Security for SMB 3.5, Damage Cleanup Services 3.2, and possibly other products, assigns Everyone write permission for the \\.\TmComm DOS device interface, which allows local users to access privileged IOCTLs and execute arbitrary code or overwrite arbitrary memory in the kernel context.

Nessus

NASL familyWindows
NASL idTRENDMICRO_TMCOMM_INSECURE_PERMISSION.NASL
descriptionThe version of tmcomm.sys installed on the remote system is affected by a local privilege escalation vulnerability. The issue exists due to insecure permissions on Tmcomm.sys which allows write access to
last seen2020-06-01
modified2020-06-02
plugin id24682
published2007-02-21
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/24682
titleTrend Micro Multiple Products TmComm.sys IOCTL Handler Local Privilege Escalation
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(24682);
  script_version("1.18");
  script_cvs_date("Date: 2018/08/01 17:36:15");

  script_cve_id("CVE-2007-0856");
  script_bugtraq_id(22448);
  script_xref(name:"CERT", value:"282240");
  script_xref(name:"CERT", value:"666800");

  script_name(english:"Trend Micro Multiple Products TmComm.sys IOCTL Handler Local Privilege Escalation");
  script_summary(english:"Checks if vulnerable version of tmcomm.sys is installed");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a local privilege escalation
issue.");
  script_set_attribute(attribute:"description", value:
"The version of tmcomm.sys installed on the remote system is affected
by a local privilege escalation vulnerability. The issue exists due to
insecure permissions on Tmcomm.sys which allows write access to
'everyone' group on the remote system. Successful exploitation of this
issue could lead to arbitrary code execution with SYSTEM privileges.");
  # https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=469
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?13a3190c");
  script_set_attribute(attribute:"see_also", value:"http://esupport.trendmicro.com/solution/en-us/1034432.aspx");
  script_set_attribute(attribute:"solution", value:"Update the Anti-Rootkit Common Module (RCM) to version 1.600-1052.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/02/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("audit.inc");
include("smb_hotfixes.inc");


name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
winroot = hotfix_get_systemroot();
if(isnull(winroot)) exit(0);

share  = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
windir = ereg_replace(pattern:"^[A-Za-z]:(.*)$", replace:"\1", string:winroot);

# Connect to the appropriate share.

  rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
  if (rc != 1)
  {
    NetUseDel();
    exit(0);
  }

file = windir + '\\system32\\drivers\\tmcomm.sys';

fh = CreateFile(file:file, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);

v = NULL;
if (!isnull(fh))
{
  v = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}

NetUseDel();

if ( !isnull(v) &&
    ( (v[0] == 1 && v[1] < 6) ||
    (v[0] == 1 && v[1] == 6 && v[2] == 0 && v[3] < 1052) ))
  {
 info = string (
		'Version ', v[0], ".", v[1], ".", v[2], ".", v[3],  ' of tmcomm.sys is installed on the remote\n',
		'host under the following path :\n',
		'\n',
		'  ', winroot + '\\system32\\drivers\\tmcomm.sys'
		);

 report = string(
		"\n",
		info,"\n"
  		);
 security_hole(port:port, extra:report);
}