Trend Micro Control Manager CmdProcessor.exe Remote Buffer Overflow (uncredentialed check)

Critical Nessus Plugin ID 57765

Synopsis

The remote host contains a web application that allows remote code execution.

Description

The Trend Micro Control Manager running on the remote host is missing Critical Patch 1613. As such, the included CmdProcessor.exe component is affected by a remote stack buffer overflow vulnerability in the 'CGenericScheduler::AddTask' function of cmdHandlerRedAlertController.dll. By sending a specially crafted IPC packet to the service, which listens by default on TCP port 20101, an unauthenticated, remote attacker could leverage this issue to execute arbitrary code in the context of the user under which the service runs, which is SYSTEM by default.

Note that this script tries to kill the CmdProessor.exe process, but it will restart if it dies.

Solution

Upgrade to Trend Micro Control Manager 5.5 if necessary and apply Critical Patch 1613.

See Also

http://www.zerodayinitiative.com/advisories/ZDI-11-345

http://seclists.org/fulldisclosure/2011/Dec/204

http://www.nessus.org/u?5a60584c

Plugin Details

Severity: Critical

ID: 57765

File Name: tmcm_cmdprocessor_addtask_bof_remote.nbin

Version: $Revision: 1.28 $

Type: remote

Published: 2012/01/24

Modified: 2018/05/21

Dependencies: 57764

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/11/10

Vulnerability Publication Date: 2011/11/10

Exploitable With

Core Impact

Metasploit (TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow)

Reference Information

CVE: CVE-2011-5001

BID: 50965

EDB-ID: 18514