Trend Micro Password Manager Discloses Passwords via Leaky Node.js Server

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Google's Project Zero researcher, Tavis Ormandy, has yet again discovered a security bug in one of the world's leading antivirus engines, this time in Trend Micro's Antivirus for Windows.

According to Mr. Ormandy's findings, when installing the Trend Micro Antivirus for Windows, the company's Password Manager application, which comes bundled with the main antivirus, is also installed.

The application, used as a side feature to the main antivirus, is used to store passwords and works just like any other password manager application.

Trend Micro's Password Manager is written mainly in JavaScript, and it works by starting a Node.js server on the local computer every time the main antivirus starts.

RCE bug allows total system compromise
As Mr. Ormandy discovered this server opens multiple HTTP RPC ports for handling API requests coming from other applications querying or interacting with information stored in Trend Micro's Password Manager.

Available at "http://localhost:49155/api/", Mr. Ormandy discovered that attackers could craft malicious links that when clicked by a user that has a Trend Micro antivirus installed, would allow a malicious party to execute arbitrary code on the local computer.

Depending on the hacker's skill level, various level of attacks can be carried out via this entry point.

Besides reporting the issue to Trend Micro's team and helping them create a patch for this issue, Mr. Ormandy also discovered that the Trend Micro Password Manager also exposes around 70 APIs through this same Node.js server.

Leaky Password Manager is leaky
During his research, he was able to steal encrypted passwords from the password manager application, expose the domains for each encrypted password entry, and also decrypt passwords, using one of the exposed Node.js APIs, responsible for decrypting passwords inside the Password Manager application itself.

Theoretically, an attacker could create a malicious link that chained all these exploits. The attacker would only have to send this malicious link via email, or embed it in a Web page, which if clicked by a Trend Micro user would steal all his passwords and send them to a remote server, under the attacker's control.

No details were given about which Trend Micro Antivirus and Password Manager versions were vulnerable, but a new release has been put out to fix these flaws, so just update your Trend Micro Antivirus to the latest version.

Previously, Mr. Ormandy has discovered security issues in other antivirus engines like AVG, FireEye, Kaspersky, Avast, and ESET.
 

Rishi

Level 19
Verified
Honorary Member
Top Poster
Well-known
Dec 3, 2015
938
Every software will have a flaw.. made by a human and to err is human, but love Travis Ormandy for his work,exposing glitches which could compromise millions of users if found and developed exploitably by unethical hackers.Hope this gets fixed soon.
 
  • Like
Reactions: frogboy

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
It's a good finding at least. Just make sure the holes are patched immediately especially those big holes.
Imagine if it is not uncovered, you have no idea how many "mass online casualties" you'll have...
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Well it depends on the component used for developing a program, sometimes when there's a confirm vulnerability, it should provide a mitigation techniques to avoid it however since its a password manager then you may steer away from the moment unless everything resolved.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top