The security expert and bug-hunter John “hyp3rlinx” Page discovered an arbitrary code execution vulnerability, tracked as CVE-2019-9491, in the Trend Micro Anti-Threat Toolkit.
Trend Micro ATTK allows analyzing malware issues and clean infections. It can be used to perform system forensic scans and clean various types of infections.
The vulnerability could be exploited by attackers to run malware on target Windows computers.
“Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of “cmd.exe” or “regedit.exe” and the malware can be placed in the vacinity of the ATTK when a scan is launched by the end user.” reads the advisory published by the expert. “Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware. Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.)”
The expert discovered that is possible to trick the Trend Micro Anti-Threat Toolkit into executing any malicious code when it is named “cmd.exe” or “regedit.exe.”
An attacker that is able to save a malicious file with the above filenames on the target’s PC running the ATTK could exploit the flaw.
Below a video proof of concept of the attack:
The expert also published a PoC exploit code in the advisory.
Below the vulnerability timeline:
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Anti-Threat Toolkit, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
This website uses cookies.