Trend Micro ServerProtect for Windows (SpntSvc.exe) StRpcSrv.dll Arbitrary Remote Code Execution

Critical Nessus Plugin ID 29724


It is possible to execute code on the remote host through the antivirus agent.


The remote version of Trend Micro ServerProtect exposes multiple insecure methods through its RPC interface that let an unauthenticated remote attacker list, read and write to arbitrary files on the affected host.

By sending legitimate requests to the remote service, an attacker may be able to exploit those functions to execute code with SYSTEM privileges.


Reports suggest that the issues have been addressed in Security Patch 5 rather than 4 as ZDI states.

See Also

Plugin Details

Severity: Critical

ID: 29724

File Name: trendmicro_serverprotect_file.nbin

Version: $Revision: 1.69 $

Type: remote

Agent: windows

Family: Windows

Published: 2007/12/18

Modified: 2018/02/06

Dependencies: 24679

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

Required KB Items: Antivirus/TrendMicro/ServerProtect

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2007/07/27

Vulnerability Publication Date: 2007/12/17

Exploitable With

Core Impact

Metasploit (TrendMicro ServerProtect File Access)

Reference Information

CVE: CVE-2007-6507

BID: 26912

OSVDB: 44318

CWE: 264