Recently it was discovered that TrendMicro Antivirus installs the TrendMicro Password Manager by default. This in itself is fine, as a password manager is probably a good idea for many users. The problem? They open up a web server on the local machine with a number of security problems, and on top of that provides a convenient, simple method for querying and decrypting user passwords – and all you need is to be able to connect to that port on the users computer (but don’t worry, you can do that from any website they visit in the unfortunate event you have not already infiltrated the users network.)
The timing on this discovery is convenient, as it fits nicely into the ongoing issue of developers simply not thinking about security. Especially with the advent of the Internet of Things, this problem has become increasingly apparent with the likes of web cams that happily wait around on the internet for casual observers, etc… Ironically, the developers in question were even releasing a security product.
So what was the exploit? Well two exploits that could be used to perform remote code execution were identified and responsibly disclosed to TrendMicro. The first was related to an API that – get this – is designed to allow arbitrary URLs to be opened in a browser, called
openUrlInDefaultBrowser. According to the bug reporter this API call eventually maps to a
http://localhost:49155 with the correct arguments and the script will get executed. Sure, the browser security policy won’t allow you to see the response – but it will still perform the request. The second code execution vulnerability was in the
showSB API, and was similar to the first. The bug reporter then speculated that the rest of the application was likely riddled with slightly less obvious problems in the roughly 70 APIs exposed by the server.
I also mentioned that the web server provided a convenient method for browsing and decrypting user passwords. First use one of the above exploits to query for the list of user passwords by domain (the above exploits execute in an environment with full access to the password database) then place a call to the
decryptString API and voila!
Fortunately for an attentive observer there are a few lessons that can be learned from this:
Don’t trust “secure” software just because of encryption
The TrendMicro Password Manager site advertises that passwords are stored securely – and they aren’t lying – the passwords are definitely encrypted. It’s just that the software itself is an open book to anyone interested in your passwords.
Don’t trust claims of security
The only security claims that are remotely valid are those that have been verified by a reputable, independent security consultant. These consultants will go through the entire architecture of the offering, including source code, and validate that a companies claims of security are reasonably supported. Even then, this isn’t a guarantee – it just means that they aren’t doing anything obviously insecure.
Beware the “Tyranny of the Default”
Steve Gibson, a security researcher coined the term “Tyranny of the Default” to refer to the fact that most default settings are left as they are – not configured. This means that software installed by default, or insecure settings applied by default are more prevalent than their alternatives. Why has Internet Explorer on Windows been exploited so much, especially looking back before the rise of Chrome? It was the default browser and was (and still is) used by millions, so it was a very obvious piece of software to attack. Always examine the default settings and determine if you really do want them, or in this case, a bad password manager.
So what does TrendMicro need to do in the face of these problems? Well, fix them obviously. In fact because you can see the bug report (linked below) it means that TrendMicro has already released a patch for some of the vulnerabilities discussed. Unfortunately for them it is obvious that this whole problem could have been easily mitigated by simply not creating an HTTP server accessible to all. Another possible mitigation would be to have their software independently audited before it is released. As it is the true effects of these vulnerabilities have yet to be ascertained. If TrendMicro can have the fixes deployed to all of its customers with extreme haste it may be possible to nearly eliminate impact. This is unlikely however because, as the bug reporter points out, the only way to reliably prevent more exploits in this poor codebase would be to disable this server completely, and lose any functionality attached.
In the meantime anybody is free to download the password manager software, install it (on a virtual machine please), and take a look at the source code as it is written in NodeJS. And if you had to ask, no, that’s not what “Open Source” means.