Anti-malware company Trend Micro has patched a flaw in its password manager that could have enabled an attacker to run their own code on a user's computer with the highest possible access privileges.
Available for the iOS, Android, Windows and Mac platforms, Trend Micro Password Manager stores login credentials, features one-click login and form-filling capabilities and synchronizes with the cloud so that people can use it across different devices. It is available as a free service for up to five passwords. Users pay to store more credentials. They can buy the product on its own or as an optional part of Trend Micro's Premium Security and Maximum Security solutions.
SafeBreach found an issue with pwmSvc.exe, a central control service that runs with privileged user account status. If compromised, this could enable an attacker to escalate privileges to the system level. Because this software is signed by Trend Micro, compromising it would allow an attacker to bypass its application white list. It could also be used as a persistent attack mechanism because it automatically starts when the computer boots, SafeBreach said in its analysis.
The researchers noticed that the program tried to load a missing DLL file from the default Python directory, which can be included in the PATH environment variable (PATH is a variable that tells the computer in which directories to find executable programs).
The program relied on the PATH variable when loading the DLL instead of specifying an absolute path. It also didn't check for a digital certificate when loading DLL files.
SafeBreach researchers were able to compromise the system by adding the Python directory to the PATHvariable and then using it to store an unsigned DLL file. This enabled them to piggyback their own code on Trend Micro's program, which would run it for them with elevated privileges.
An attacker could use this technique to compromise a system, they warned. "The service provides him with the ability to operate as NT AUTHORITYSYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer," they wrote.
SafeBreach reported the flaw to Trend Micro on July 23, and the vendor patched it and released a new version on July 31. It also published a security bulletin of its own today addressing the issue.