Trend Micro Control Manager Stack BO (Jan 27, 2012)

By

Trend Micro Control Manager is a command center for management of virus infections and other suspicious events. It consolidates the coordination of outbreak prevention actions and management of Trend Micro products and services. Control Manager provides facilities to allow the administrator to access and manipulate it through a web interface. The web interface is composed of various Java applets, ASP and HTML pages, as well as several ISAPI libraries.

One of Trend Micro Control Manager’s components is cmdprocessor.exe. This process uses a proprietary network protocol to communicate with other remote Trend Micro components. The structure of the network messages includes a common header which contains the length of the message, an identifying string, an opcode and opcode specific data.

A stack buffer overflow vulnerability has been discovered in the Trend Micro Control Manager component cmdprocessor.exe. Upon receiving a command with a certain opcode, the vulnerable code will allocate a stack buffer of 408 bytes to store a string field value provided in the received message. Subsequently, the received string is copied into the buffer, using the null character during the copy as the end of string marker. The code fails to verify that the destination buffer is large enough to hold the original string.

By supplying a message containing a large string in the affected field, data on the stack will be overwritten, including the return address and the SEH. A remote, unauthenticated attacker can exploit this vulnerability by sending a carefully crafted message to the vulnerable server. Successful exploitation may allow the attacker to cause a stack buffer overflow, potentially injecting and executing arbitrary code in the security context of the running service.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature was released:

  • 7317 – Trend Micro Control Manager Buffer Overflow

In addition to the signature released specifically to cover this issue, SonicWALL has numerous existing IPS signatures that detect and block known exploitation techniques and shellcode patterns that may likely be utilized in attacks against vulnerabilities like this one. These signatures proactively detect and block exploits targeting new vulnerabilities.

This vulnerability has been assigned the id CVE-2011-5001 by mitre.
The vendor has released an advisory addressing this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.