Talos Vulnerability Report

TALOS-2021-1239

Trend Micro Inc. Home Network Security tdts.ko TRF file-parsing denial-of-service vulnerability

April 22, 2021
CVE Number

None

Summary

A denial-of-service vulnerability exists in the tdts.ko TRF file-parsing functionality of Trend Micro Inc.’s Home Network Security 6.1.567. A specially crafted file can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Trend Micro, Inc. Home Network Security 6.1.567

Product URLs

Home Network Security - https://www.trendmicro.com/en_us/forHome/products/homenetworksecurity.html

CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

This vulnerability is caused by the TRF parser within tdts.ko using data within the TRF file to calculate offsets into memory. This is blindly trusting user provided data within the kernel. By providing an offset that does not point to valid kernel memory an out of bounds read/page fault will occur and the kernel will panic.

The TRF file containing rules provided by Trend Micro is packed at rest, both encryption and compression are used in this packing process. After unpacking the TRF file, it contains 8 unique sections that are parsed by tdts.ko these sections all contain unique information used by the deep packet inspection engine to enforce rules. Some sections contain application ID’s, protocol ID’s, and others include information regarding IDS rules. For lack of better terminology, these sections will be referred to from Section 0 to Section 7.

Section 0 holds data about the IDS rules provided by Trend Micro, more specifically Section 0 seems to be the root of all IDS rules, reaching into other sections as needed to retrieve data associated with each rule. Section 0 on disk look as follows:

struct SectionZero {
    num_entries: u32,
    entries: Vec<SectionZeroEntry>,
}

SectionZeroEntry is 0x40 bytes that are mostly unimportant for this analysis. A single offset of 0x30 is going to be important for this analysis. Offset 0x30 holds a value that is used to determine an offset into Section 1 to correlate data between Section 0 and Section 1. With this background, the vulnerability can be seen below.

0001cba8 003094e5 ldr r3, [r4]
// This is field_30 of a SectionZeroEntry
0001cbac 302093e5 ldr r2, [r3, #0x30]
0001cbb0 010072e3 cmn r2, #0x1
0001cbb4 2410d3e5 ldrb r1, [r3, #0x24]
0001cbb8 f500000a beq 0x1cf94

0001cbbc 9c00a0e3 mov r0, #0x9c // SectionOneEntry size is always 0x9c
// This contains a pointer to a structure containing TRF metadata
0001cbc0 143196e5 ldr r3, [r6, #0x114] {data_5a3a4}
0001cbc4 900202e0 mul r2, r0, r2 // Offset into Section_1 entries
// This retrieves a pointer to Section 1
0001cbc8 0c0093e5 ldr r0, [r3, #0xc]
// Account for the Section_1 header size
0001cbcc 082082e2 add r2, r2, #0x8
0001cbd0 023090e0 add.s r3, r0, r2
0001cbd4 3602000a beq 0x1d4b4

// Bug manifests here via
// Access @ (Pointer to Section 1 + Calculated Offset) + 4
// This is an OOB Read, Page Fault, Kernel Panic
0001cbd8 04c093e5 ldr r12, [r3, #0x4]    

Crash Information

Unable to handle kernel paging request at virtual address 61df6e0c
pgd = bba80000
[61df6e0c] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: km_diamond(O) tdts_udb(PO) tdts(PO)
CPU: 0 PID: 5933 Comm: tdts_rule_agent Tainted: P           O 3.10.70 #2
task: bf955a40 ti: b779c000 task.ti: b779c000
PC is at signature_reload+0xda0/0x227c [tdts]
LR is at signature_reload+0xd60/0x227c [tdts]
pc : [<7f01cbd8>]    lr : [<7f01cb98>]    psr: 30000013
sp : b779dd68  ip : 000004ef  fp : c5d50d4b
r10: c24eff00  r9 : c24eff10  r8 : c5b2fd04
r7 : 7f05a1dc  r6 : 7f05a1dc  r5 : c36f48d3  r4 : c1f01778
r3 : 61df6e08  r2 : 9c207a34  r1 : 00000006  r0 : c5bef3d4
Flags: nzCV  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c53c7d  Table: 9ba8006a  DAC: 00000015
Process tdts_rule_agent (pid: 5933, stack limit = 0xb779c238)
Stack: (0xb779dd68 to 0xb779e000)
dd60:                   00000000 00000000 00000000 00000000 00000002 c5b2fcd4
dd80: c36f467e 00000030 c084c000 000004ef 636e7566 6e6f6974 70786520 74696f6c
dda0: 616e2928 6e696d64 69726300 6f637470 6c69706d 00730065 c5d81d00 00000804
ddc0: c5d82518 00000000 00000000 00000000 00000000 00000012 00000000 7f059c20
dde0: 7f059bb0 0005a40f 00000244 7f059bb0 00000804 000e43d0 0014363c 7f017b5c
de00: 00000000 c5954c3c 7f059bb0 7f0179d4 b779c000 00000000 420dc02c 0008020a
de20: 00010100 000e43d0 0014363c 0004f304 00000000 00000000 00000000 00000000
de40: 002b32fc 0000a1e8 00000804 00000244 0005a40f 3073b1ed 5fb32981 00000000
de60: 00000000 0058f04b 36753fe0 c3310000 000c1fcb 208266b1 00000003 ba61c480
de80: b779c000 00000000 7efffb04 7f016678 000c1fcf 12060723 00020001 000c493b
dea0: 00002c03 00000000 7f059ba0 000c1fcf c3310000 7f016338 00000000 c3310000
dec0: b779dee8 7f0013e0 ba61c480 00000003 ba61c480 b779dee8 00000000 7efffb10
dee0: ba61c480 7f000854 000000be 02000102 76db5000 00000000 000c1fcf 00000000
df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df20: bf5485f0 800cf1f0 ba61c488 00000001 00000000 ffffff9c bba2b000 00000000
df40: 00000000 00000000 00000002 00000003 00000003 ba61c480 bba2b000 ba61c488
df60: bf5485f0 00000003 00000000 c038be02 7efffb10 ba61c480 b779c000 00000000
df80: 7efffb04 800cf3e8 b779dfb0 00000000 00000000 00000000 00010b1c 00000036
dfa0: 8000e0e8 8000df40 00000000 00000000 00000003 c038be02 7efffb10 c038be02
dfc0: 00000000 00000000 00010b1c 00000036 00000000 00000000 76fff000 7efffb04
dfe0: 00035c8c 7efffad4 0001b12c 76f3adcc 20000010 00000003 00000000 00000000
[<7f01cbd8>] (signature_reload+0xda0/0x227c [tdts]) from [<7f017b5c>] (tdts_core_rule_build+0x34/0x68 [tdts])
[<7f017b5c>] (tdts_core_rule_build+0x34/0x68 [tdts]) from [<7f0179d4>] (ptn_load+0x21c/0x2bc [tdts])
[<7f0179d4>] (ptn_load+0x21c/0x2bc [tdts]) from [<7f016678>] (trf_load+0xd8/0xe8 [tdts])
[<7f016678>] (trf_load+0xd8/0xe8 [tdts]) from [<7f016338>] (tdts_core_rule_parsing_trf_load+0x44/0x68 [tdts])
[<7f016338>] (tdts_core_rule_parsing_trf_load+0x44/0x68 [tdts]) from [<7f0013e0>] (tdts_shell_ioctl_sig+0x920/0xf54 [tdts])
[<7f0013e0>] (tdts_shell_ioctl_sig+0x920/0xf54 [tdts]) from [<7f000854>] (chrdev_release+0x110/0x164 [tdts])
[<7f000854>] (chrdev_release+0x110/0x164 [tdts]) from [<800cf1f0>] (do_vfs_ioctl+0x404/0x5c4)
[<800cf1f0>] (do_vfs_ioctl+0x404/0x5c4) from [<800cf3e8>] (SyS_ioctl+0x38/0x60)
[<800cf3e8>] (SyS_ioctl+0x38/0x60) from [<8000df40>] (ret_fast_syscall+0x0/0x30)
Code: e593000c e2822008 e0903002 0a000236 (e593c004) 
---[ end trace 38cf95abf02b3403 ]---

Timeline

2021-02-09 - Vendor disclosure
2021-04-22 - Public Release

Credit

Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.