Tuesday 13 October 2020

Bypassing Trend Micro Web Threat Protection via Punycode

Summary: It was identified that Trend Micro web threat protection can be bypassed using puny-code and was tested under macOS 10.15.4 (19E287).

Technical Analysis: Trend Micro antivirus for macOS has an additional feature called web threat protection which has three main components. [1]

Enable Web Threat Protection: When enabled, web threat protection starts checking the reputation scores of user requested web sites. Depending on the results, Trend Micro security (for Macintosh) will either deny or allow access to the requested web site. Enabling or disabling web threat protection from this screen enables or disables web threat protection on the protection status screen.

Protection Strength: Select High, Medium, or Low.

Approved Websites: Contains a list of user or administrator approved web sites. Security (for Macintosh) will not block web sites that are on the approved websites list.

We will be focusing on "approved websites" component which allows users or administrators to add URLs which needs to be blocked, having said that it was observed that this functionality can be abused by puny-code and leads to WTP bypass. 

http*://*.gооgle.com/* --> (#1 Fake google.com)
http*://*.google.com/* --> (#2 Real google.com)
The above #1 utilizes puny-code with the combination of english and russian characters when such URLs are added under web threat protection, Trend Micro antivirus cannot render puny-code. Hence user will still be able to browse those blocked URLs, below is the video proof of concept demonstratingthis attack.

Remediation: Trend Micro security team fixed this vulnerablity in Antivirus for Mac (2021) by URL filtering for such domains or a puny-code domain name conversion. A offical advisory was published and CVE-2020-25779 was assigned to this.

0 coment�rios:

Post a Comment