Showing posts with label Trend Micro. Show all posts
Showing posts with label Trend Micro. Show all posts

Tuesday 13 October 2020

Bypassing Trend Micro Web Threat Protection via Punycode

Summary: It was identified that Trend Micro web threat protection can be bypassed using puny-code and was tested under macOS 10.15.4 (19E287).

Technical Analysis: Trend Micro antivirus for macOS has an additional feature called web threat protection which has three main components. [1]

Enable Web Threat Protection: When enabled, web threat protection starts checking the reputation scores of user requested web sites. Depending on the results, Trend Micro security (for Macintosh) will either deny or allow access to the requested web site. Enabling or disabling web threat protection from this screen enables or disables web threat protection on the protection status screen.

Protection Strength: Select High, Medium, or Low.

Approved Websites: Contains a list of user or administrator approved web sites. Security (for Macintosh) will not block web sites that are on the approved websites list.

We will be focusing on "approved websites" component which allows users or administrators to add URLs which needs to be blocked, having said that it was observed that this functionality can be abused by puny-code and leads to WTP bypass. 

http*://*.gоо* --> (#1 Fake
http*://** --> (#2 Real
The above #1 utilizes puny-code with the combination of english and russian characters when such URLs are added under web threat protection, Trend Micro antivirus cannot render puny-code. Hence user will still be able to browse those blocked URLs, below is the video proof of concept demonstratingthis attack.

Remediation: Trend Micro security team fixed this vulnerablity in Antivirus for Mac (2021) by URL filtering for such domains or a puny-code domain name conversion. A offical advisory was published and CVE-2020-25779 was assigned to this.

Wednesday 13 February 2019

Say OK Google!

Hi Internet,

Summary: The inbuilt applock of Dr. Safety can be bypassed locally by saying "OK Google" and then viewing the activity pane, which was left unpatched by TrendMicro.

Img Src:

After finding Same Origin Policy Bypass in Trend Micro Dr. Safety for Android (Consumer), I started digging more on this application. It also has a feature of applock which enables users to lock their respective applications via secure pin or fingerprint.

This may not be a great bug because only a local attacker can exploit the issue, but the steps to reproduce this issue was innovative (personal opinion).

Steps to reproduce:
1. Lock all your apps using Dr. Safety app lock. (Google, Gmail, Slack etc.)
2. Once all applications are locked by Dr. Safety app lock, Say OK Google. (Assuming your OK Google service is also locked it will ask for pin or pattern).
3. But continue saying such as "My emails from Sanjay"
4. In background "OK Google" replies "This is what i found ...." (However, still we cant see the data because Dr. Safety app is asking for pin/pattern #Step2).
5. Now, just try closing that window by using activity pane. (Which actually allows you to close all running apps).
6. Bingo! In app preview you will see the glimpse of email from "Sanjay" or Mr.XYZ. Below PoC for reference.


I believe from a malicious attacker's perspective, the application still fails to prevent exposure of other applications which are being locked by Dr Safety, thus leaking such confidential information, which in my opinion is a concern.

I went ahead and spent some time by analyzing the APK file and found AppLockMain.xml file can be responsible for this issue.

As a recommendation, I can suggest that when the user accesses the activity pane using the hardware/software buttons on the phone, the Dr. Safety app can detect if it's running in the background and use a screen overlay of it's own to mask the other applications which are being display in the activity pane.

Alternative applock:
and guess what? there is an alternative app in playstore which also locks the recent app list (activity pane) in the same fashion which i mentioned above. So Norton App Lock from play store allows users to lock their activity pane also in such case the above attack scenario will be failed.

Trend Micro security team left this issue unpatched and replied:
* User could easily clear all recent activities.
* On Android 7 and above, users could easily dismiss the ‘draw over other apps’ in status bar, so the page blocked ‘Recent’ will be dismissed. Thus, we could not provide this enhancement efficiently.
I hope you like the read.

Thank you