Trend Micro Control Manager Stack BO

January 27, 2012

Trend Micro Control Manager is a command center for management of virus infections and other suspicious events. It consolidates the coordination of outbreak prevention actions and management of Trend Micro products and services. Control Manager provides facilities to allow the administrator to access and manipulate it through a web interface. The web interface is composed of various Java applets, ASP and HTML pages, as well as several ISAPI libraries.

One of Trend Micro Control Manager's components is cmdprocessor.exe. This process uses a proprietary network protocol to communicate with other remote Trend Micro components. The structure of the network messages includes a common header which contains the length of the message, an identifying string, an opcode and opcode specific data.

A stack buffer overflow vulnerability has been discovered in the Trend Micro Control Manager component cmdprocessor.exe. Upon receiving a command with a certain opcode, the vulnerable code will allocate a stack buffer of 408 bytes to store a string field value provided in the received message. Subsequently, the received string is copied into the buffer, using the null character during the copy as the end of string marker. The code fails to verify that the destination buffer is large enough to hold the original string.

By supplying a message containing a large string in the affected field, data on the stack will be overwritten, including the return address and the SEH. A remote, unauthenticated attacker can exploit this vulnerability by sending a carefully crafted message to the vulnerable server. Successful exploitation may allow the attacker to cause a stack buffer overflow, potentially injecting and executing arbitrary code in the security context of the running service.

SonicWALL has released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following signature was released:

  • 7317 - Trend Micro Control Manager Buffer Overflow

In addition to the signature released specifically to cover this issue, SonicWALL has numerous existing IPS signatures that detect and block known exploitation techniques and shellcode patterns that may likely be utilized in attacks against vulnerabilities like this one. These signatures proactively detect and block exploits targeting new vulnerabilities.

This vulnerability has been assigned the id CVE-2011-5001 by mitre.
The vendor has released an advisory addressing this issue.