Trend Micro Control Manager CmdProcessor.exe Remote Buffer Overflow (uncredentialed check)

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote host contains a web application that allows remote code
execution.

Description :

The Trend Micro Control Manager running on the remote host is missing
Critical Patch 1613. As such, the included CmdProcessor.exe component
is affected by a remote stack buffer overflow vulnerability in the
'CGenericScheduler::AddTask' function of
cmdHandlerRedAlertController.dll. By sending a specially crafted IPC
packet to the service, which listens by default on TCP port 20101, an
unauthenticated, remote attacker could leverage this issue to execute
arbitrary code in the context of the user under which the service runs,
which is SYSTEM by default.

Note that this script tries to kill the CmdProessor.exe process, but it
will restart if it dies.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-345
http://archives.neohapsis.com/archives/fulldisclosure/2011-12/0197.html
http://www.nessus.org/u?5a60584c

Solution :

Upgrade to Trend Micro Control Manager 5.5 if necessary and apply
Critical Patch 1613.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Gain a shell remotely

Nessus Plugin ID: 57765 ()

Bugtraq ID: 50965

CVE ID: CVE-2011-5001