Trend Micro Password Manager DLL Hijack
Trend Micro Password Manager managed website passwords and login IDs in one secure location.
A DLL Hijacking vulnerability has been discovered in the official Trend Micro Password Manager. DLL Hijacking vulnerability is not difficult to find and exploit if an application has this issue.
Vulnerability Details
The “tmtap.dll” file that is loaded by PwmSvc process that is service of Trend Micro Password Manager However, this file does not exist in the folder where PwmSvc.exe locates.
PwmSvc service process will load tmtap.dll file but this DLL does not exist in PwmSvc.exe’s folder. So, PwmSvc.exe will find this DLL file in Environment folders. A local user can exploit this issue by placing a malicious tmtap.dll file in a writeable Environment folder.
Steps to exploit:
- Creates a small “tmtap.dll” file and place to any writeable Environment folder. When this DLL file is loaded, the “calc.exe” will be executed as system privilege. In the case the folder is “C:\Python37”, it is an Environment folder.
- PwmSvc.exe process will load “C:\Python37\tmtap.dll”
Service that causes vulnerability: PwmSvc.exe
DLL that is dynamically tested and succeeded: tmtap.dll
Affected Products
Trend Micro Password Manager for Windows below 5.0.0.1058
Timeline:
- 03/July/2019: Reported Vulnerability to Trend Micro
- 05/July/2019: Trend Micro acknowledged the Vulnerability
- 01/Aug/2019: Vulnerability Fixed (Version of Trend Micro Password Manager 5.0.0.1058)
- 13/Aug/2019: Trend Micro has assigned the following CVE ID for my submission: CVE-2019–14687
- 14/Aug/2019: Trend Micro has published a security bulletin: https://esupport.trendmicro.com/solution/en-US/1123396.aspx
Trần Văn Khang (aka Khang Kì Tổ) — Infiniti Team, VinCSS (a member of Vingroup)