Trend Micro ServerProtect for Windows (SpntSvc.exe) StRpcSrv.dll Arbitrary Remote Code Execution

critical Nessus Plugin ID 29724

Synopsis

It is possible to execute code on the remote host through the antivirus agent.

Description

The remote version of Trend Micro ServerProtect exposes multiple insecure methods through its RPC interface that let an unauthenticated remote attacker list, read and write to arbitrary files on the affected host.

By sending legitimate requests to the remote service, an attacker may be able to exploit those functions to execute code with SYSTEM privileges.

Solution

Reports suggest that the issues have been addressed in Security Patch 5 rather than 4 as ZDI states.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-07-077/

https://seclists.org/bugtraq/2007/Dec/220

Plugin Details

Severity: Critical

ID: 29724

File Name: trendmicro_serverprotect_file.nbin

Version: 1.207

Type: remote

Agent: windows

Family: Windows

Published: 12/18/2007

Updated: 3/26/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2007-6507

Vulnerability Information

Required KB Items: Antivirus/TrendMicro/ServerProtect

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/27/2007

Vulnerability Publication Date: 12/17/2007

Exploitable With

Core Impact

Metasploit (TrendMicro ServerProtect File Access)

Reference Information

CVE: CVE-2007-6507

BID: 26912

CWE: 264