Search This Blog

Showing posts with label local command injection vulnerability. Show all posts

Multiple software vulnerabilities in Trend Micro DirectPass 1.5.0.1060


The Vulnerability Laboratory Research Team discovered multiple software vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.

Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure location, so you only need to remember one password. Other features include: Keystroke encryption, secure password generation, automatic form-filling, confidential notes, and a secure browser.

The first vulnerability is a local command injection vulnerability that allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software.

The second security flaw discovered by the vulnerability-lab is a persistent input validation vulnerability that allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software.

The third one is a critical pointer vulnerability (DoS) that allows local attackers with low privileged system user account to crash the software via pointer vulnerability.

While the Local path injection vulnerability has been marked as high risk bug, other vulnerabilities has been marked as medium risk bug.

After receiving notification from Vulnerability-lab researchers, Trend micro fixed the vulnerability on 2013-05-15.

The Technical details and proof-of-concept can be found here.