Trend micro roaming mode not updating Webcamshat
Trend Micro responded immediately and I’ve been sharing information about the different issues and possible attack vectors since then (for the detailed timeline check below).
Although Trend Micro was the most responsive vendor I’ve personally worked with, it seems that they are not really experienced in handling security vulnerabilities: after months of discussion it is still unclear if they consider the reported issues as vulnerabilities or “features”, if the latest release (OSCE 11) solves any of the reported issues* and if there are possible configuration steps which can lower the risk of an attack.
As a quick test I used the installer of Total Commander, which is signed by a party that is acceptable by default to , the API to be used for signature verification.
The test was successful, it seems that OSCE only cares about the signedness of the updates but not the signer.
From this point the most obvious way to gain control over the client is to hijack the update process and let the client download and execute a malicious binary as part of the update.
I monitored the client-server communication for quite some time and I realized that after issuing a configuration change at the server, a special HTTP request is sent from the server to the TCP/61832 port of the client.
This is a simple GET request in the form of: As you can see, this algorithm is basically a simple polyalphabetic cipher (similar to the Vigenere cipher), that I could easily recreate independently from the original library: after running a quick loop that encrypted 1KB strings of all printable characters (1024 times ‘A’, 1024 times ‘B’, etc.), I had a database that could be used to encrypt and decrypt virtually anything.
The only problematic part is the IP parameter that seems to contain a hash value. You can use scripts like Find Crypt to find the MD5 routine in the [jdk Notify] error=-1471291287,clinet=472bc675-3862-4e9d-9890-e3b14d4ddc3e,server=SEQ=80&DELAY=0&USEPROXY=0&PROXY=&PROXYPORT=0&PROXYLOGIN=&PROXYPWD=&SERVER=192.168.124.134&SERVERPORT=8080cc NT_Version=10.6&Pcc95_Version=10.6&Engine NT_Version=9.700.1001&Engine95_Version=&ptch Hotfix Date=20131228153813&PTNFILE=1050100&ROLLBACK=1050100&MESSAGE=20&TIME=201312281648170406&DIRECT_UPDATE=1, return -1293342568 (sic!
) parameter, that is the GUID of the client generated at install time.