Details: ======== 1.1 A local command injection vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The vulnerability allows local low privileged system user accounts to inject system specific commands or local path requests to compromise the software. The vulnerability is located in the directpass master password setup module of the Trend Micro InstallWorkspace.exe file. The master password module of the software allows users to review the included password in the secound step for security reason. The hidden protected master password will only be visible in the check module when the customer is processing to mouseover onto the censored password field. When the software is processing to display the hidden password in plain the command/path injection will be executed out of the not parsed master password context in the field listing. Exploitation of the vulnerability requires a low privileged system user account with directpass access and medium or high user interaction. Successful exploitation of the vulnerability results in software and system process compromise or execution of local system specific commands and path requests. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.2 A persistent input validation vulnerability is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to implement/inject malicious script code on application side (persistent) of the software. The persistent web vulnerability is located in the directpass check module when processing to list a manipulated master password. In step one injects a malicious iframe in the hidden fields as master password. The inserted context will be saved and the execution will be in the next step when processing to list the master password context in the last check module. To bypass the validation the and execute the injected script code the attacker needs to split (%20) the input request. Exploitation of the vulnerability requires medium user interaction and a low privileged system user account with directpass. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation of the affected vulnerable module. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Module(s): [+] Setup Master Password Vulnerable Parameter(s): [+] Master Password Affected Module(s): [+] Check Listing (Master Password) 1.3 A critical pointer vulnerability (DoS) is detected in the official Trend Micro DirectPass v1.5.0.1060 Software. The bug allows local attackers with low privileged system user account to crash the software via pointer vulnerability. The pointer vulnerability is also located in the directpass master password listing section. Attackers can inject scripts with loops to mouseover multiple times the hidden password check listing of the master password. The result is a stable cash down of the InstallWorkspace.exe. The problem occurs in the libcef.dll (1.1.0.1044) of the trend micro directpass software core. Vulnerable File(s): [+] InstallWorkspace.exe Vulnerable Library: [+] libcef.dll (Dynamic Link Library) Vulnerable Module(s): [+] Check Listing (Master Password) Vulnerable Parameter(s): [+] Master Password Proof of Concept: ================= 1.1 The code injection vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: B%20>">../;'[COMMAND|PATH INJECT!]> Example Path: C:\Users\BKM\TrendMicro DirectPass Note: The bug allows attackers to request local restricted folders with the system software privileges to manipulate software files and the bound dynamic link libraries. 1.2 The persistent script code inject web vulnerability can be exploited by local attackers with privileged system user account and medium or high user interaction. For demonstration or reproduce ... PoC: (Input) B%20>"