Talos Vulnerability Report

TALOS-2021-1240

Trend Micro Inc. Home Network Security tdts.ko TRF file-parsing denial-of-service vulnerability

April 22, 2021
CVE Number

None

Summary

A denial-of-service vulnerability exists in the tdts.ko TRF file-parsing function of Trend Micro Inc.’s Home Network Security 6.1.567. A specially crafted file can lead to denial of service. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Trend Micro, Inc. Home Network Security 6.1.567

Product URLs

Home Network Security - https://www.trendmicro.com/en_us/forHome/products/homenetworksecurity.html

CVSSv3 Score

7.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Details

The Home Network Security Station is a device used to monitor and protect home networks from security threats as well as offer simple network management features. The Station provides vulnerability scanning, web threat protection, intrusion prevention, as well as device-based access control for all devices on a home network.

This vulnerability is caused by the TRF parser within tdts.ko using data within the TRF file to calculate offsets into memory. This is blindly trusting user provided data within the kernel. By providing an offset that does not point to valid kernel memory an out of bounds read/page fault will occur and the kernel will panic.

The TRF file containing rules provided by Trend Micro is packed at rest, both encryption and compression are used in this packing process. After unpacking the TRF file, it contains 8 unique sections that are parsed by tdts.ko these sections all contain unique information used by the deep packet inspection engine to enforce rules. Some sections contain application ID’s, protocol ID’s, and others include information regarding IDS rules. For lack of better terminology, these sections will be referred to from Section 0 to Section 7.

Section 0 holds data about the IDS rules provided by Trend Micro, more specifically Section 0 seems to be the root of all IDS rules, reaching into other sections as needed to retrieve data associated with each rule. Section 0 on disk look as follows:

struct SectionZero {
    num_entries: u32,
    entries: Vec<SectionZeroEntry>,
}

SectionZeroEntry is 0x40 bytes that are mostly unimportant for this analysis. There are two offsets that are important offset 0x20 (u16) and offset 0x25 (u8) these offsets are used to continue parsing the section. Offset 0x25 is going to give information about how many SectionZeroSubEntries follow the current SectionZeroEntry. Offset 0x20 is not important for this analysis, just for properly parsing the file.

SectionZeroSubEntries are located directly after SectionZeroEntry’s and in a count equal to offset 0x25 of the previous SectionZeroEntry. SectionZeroSubEntries are 0x18 bytes long and for this analysis only offset 0x14 (u32) will be important. Offset 0x14 is used as an offset to correlate data between Section 0 and Section 2. With that background information, the vulnerability is seen below.

0001d59c 14c09de5 ldr r12, [sp, #0x14] {var_84_2}
// This contains a pointer to a structure containing TRF metadata
0001d5a0 143196e5 ldr r3, [r6, #0x114] {data_5a3a4}
0001d5a4 08108ce0 add r1, r12, r8
// This is a pointer to Section_2 within the TRF file
0001d5a8 102093e5 ldr r2, [r3, #0x10]
// This is field_14 in Section_0_Sub_Entry within the TRF file
0001d5ac 140091e5 ldr r0, [r1, #0x14]
0001d5b0 049091e5 ldr r9, [r1, #0x4]
0001d5b4 083091e5 ldr r3, [r1, #0x8]
0001d5b8 0ca091e5 ldr r10, [r1, #0xc]
// The bug occurs here. Trusting the TRF file to provide an offset that
// reasonably points within the same TRF memory.
// field_14 of a Section_0_Sub_entry is being used to determine the offset in
// memory within Section_2 the related data is.
0001d5bc 000182e0 add r0, r2, r0, lsl #0x2
0001d5c0 101091e5 ldr r1, [r1, #0x10]
0001d5c4 0820dce7 ldrb r2, [r12, r8]
// Bug manifests here via
// Access @ (Pointer to Section 2 + Calculated Offset) + 4
// This is an OOB Read, Page Fault, Kernel Panic
0001d5c8 04b090e5 ldr r11, [r0, #0x4]
0001d5cc 00005be3 cmp r11, #0    
0001d5d0 b7ffff0a beq 0x1d4b4

Crash Information

Unable to handle kernel paging request at virtual address 66d44fec
pgd = baca4000
[66d44fec] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: km_diamond(O) tdts_udb(PO) tdts(PO)
CPU: 0 PID: 1052 Comm: tdts_rule_agent Tainted: P           O 3.10.70 #2
task: bfa20f00 ti: bbfe4000 task.ti: bbfe4000
PC is at signature_reload+0x1790/0x227c [tdts]
LR is at signature_reload+0xd60/0x227c [tdts]
pc : [<7f01d5c8>]    lr : [<7f01cb98>]    psr: 20000013
sp : bbfe5d68  ip : c5e54984  fp : c6000516
r10: 00000000  r9 : 00000000  r8 : 00000000
r7 : 7f05a1dc  r6 : 7f05a1dc  r5 : c6b7aef8  r4 : c5e54984
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 66d44fe8
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c53c7d  Table: 9aca406a  DAC: 00000015
Process tdts_rule_agent (pid: 1052, stack limit = 0xbbfe4238)
Stack: (0xbbfe5d68 to 0xbbfe6000)
5d60:                   00000000 00000000 00000000 00000000 00000000 c5e54984
5d80: c6b7af00 00000048 c084e000 00001b58 30353776 7262763b 6573776f 30353872
5da0: 20652066 31613936 63373335 37666365 61663161 64396564 c6002d00 00000804
5dc0: c6003518 00000000 00000000 00000000 00000000 00040005 00000000 7f059c20
5de0: 7f059bb0 0005a40f 00000244 7f059bb0 00000804 000e43d0 0014363c 7f017b5c
5e00: 00000000 c5bcfc3c 7f059bb0 7f0179d4 80521f04 8008cb84 420dc02c 0008020a
5e20: 00010100 000e43d0 0014363c 0004f304 00000000 00000000 00000000 00000000
5e40: 002b32fc 0000a1e8 00000804 00000244 0005a40f 3073b1ed 5fb32981 00000000
5e60: 00000000 0058f04b 00fc113a c55d8000 000c1fc7 b383d07b 00000003 bfb65900
5e80: bbfe4000 00000100 7efffae4 7f016678 000c1fcb 12060723 00020001 000c493b
5ea0: 00002c03 00000000 7f059ba0 000c1fcb c55d8000 7f016338 00000000 c55d8000
5ec0: bbfe5ee8 7f0013e0 bfb65900 00000003 bfb65900 bbfe5ee8 00000000 7efffaf0
5ee0: bfb65900 7f000854 000000be 02000102 76db5000 00000000 000c1fcb 00000000
5f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f20: bf54b0d0 800cf1f0 00000000 00000000 00000000 00000000 00000000 00000000
5f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f60: 00000000 00000003 00000000 c038be02 7efffaf0 bfb65900 bbfe4000 00000100
5f80: 7efffae4 800cf3e8 bbfe5fb0 00000000 00000000 00000000 00010b1c 00000036
5fa0: 8000e0e8 8000e0cc 00000000 00000000 00000003 c038be02 7efffaf0 c038be02
5fc0: 00000000 00000000 00010b1c 00000036 00000000 00000000 76fff000 7efffae4
5fe0: 00035c8c 7efffab4 0001b12c 76f3adcc 20000010 00000003 00000000 00000000
[<7f01d5c8>] (signature_reload+0x1790/0x227c [tdts]) from [<7f017b5c>] (tdts_core_rule_build+0x34/0x68 [tdts])
[<7f017b5c>] (tdts_core_rule_build+0x34/0x68 [tdts]) from [<7f0179d4>] (ptn_load+0x21c/0x2bc [tdts])
[<7f0179d4>] (ptn_load+0x21c/0x2bc [tdts]) from [<7f016678>] (trf_load+0xd8/0xe8 [tdts])
[<7f016678>] (trf_load+0xd8/0xe8 [tdts]) from [<7f016338>] (tdts_core_rule_parsing_trf_load+0x44/0x68 [tdts])
[<7f016338>] (tdts_core_rule_parsing_trf_load+0x44/0x68 [tdts]) from [<7f0013e0>] (tdts_shell_ioctl_sig+0x920/0xf54 [tdts])
[<7f0013e0>] (tdts_shell_ioctl_sig+0x920/0xf54 [tdts]) from [<7f000854>] (chrdev_release+0x110/0x164 [tdts])
[<7f000854>] (chrdev_release+0x110/0x164 [tdts]) from [<800cf1f0>] (do_vfs_ioctl+0x404/0x5c4)
[<800cf1f0>] (do_vfs_ioctl+0x404/0x5c4) from [<800cf3e8>] (SyS_ioctl+0x38/0x60)
[<800cf3e8>] (SyS_ioctl+0x38/0x60) from [<8000e0cc>] (__sys_trace_return+0x0/0x14)
Code: e591a00c e0820100 e5911010 e7dc2008 (e590b004) 
---[ end trace 1974a6e9b9cd44a0 ]---

Timeline

2021-02-09 - Vendor disclosure
2021-04-22 - Public Release

Credit

Discovered by Carl Hurd and Kelly Leuschner of Cisco Talos.