Vulnerability in Trend Micro Anti-Threat Toolkit still unfixed

[German]In Trend Micro Anti-Threat Toolkit, an update from the vendor should fix the CVE-2019-9491 vulnerability in October 2019. According to my information and a test, this vulnerability is still open. The advice: Keep your hands off the Trend Micro Anti-Threat Toolkit!


Some Background

The Trend Micro Anti-Threat Toolkit (ATTK) allows users to run a malware scan on a Windows system. It is not a regular antivirus solution, but a tool that you download and run on your system if you suspect an infection.

Trend Micro Anti-Threat Toolkit (ATTK)
(Trend Micro Anti-Threat Toolkit (ATTK))

On October 21, 2019, Trend Micro issued this security warning on the CVE-2019-9491 vulnerability. The Anti-Threat Toolkit (ATTK) in Windows version and earlier has a Remote Code Execution (RCE) vulnerability.

The problem: Vulnerable ATTK versions could allow an attacker to store malicious files in the same directory. Since the tool requires administrator privileges, this can lead to arbitrary remote code execution (RCE) when the ATTK is executed.

In October 2019, I reported about this in my German blog post Sicherheitsupdate für Trend Micro Anti-Threat Toolkit. Trend Micro strongly recommended that users upgrade to the latest version as soon as possible. The tool can be downloaded here in the most recent build for Windows.


Fix for vulnerability CVE-2019-9491 useless

Shortly after issuing the security warning, security researcher Stefan Kanthak contacted Trend Micro by e-mail (with a copy to me) and pointed out that the vulnerability was unfixed. Now that a month have passed, I publish excerpts from the mail:

The updated files attk_ScanCleanOffline_gui_x86.exe and
attk_ScanCleanOffline_gui_x64.exe offered on
<> are but STILL vulnerable:
they execute
and (see the environment variable
PATHEXT for the extensions) from the directory
“TrendMicro AntiThreat Toolkit\HC_ATTK” where the batch script
batCollector.bat lives:

— batCollector.bat —

| @echo off
| setlocal disableDelayedExpansion
| set wd=%~dp0
| cd /d %wd%

| for /f “tokens=*” %%a in (‘findstr BatCollector= ..\..\config.ini’) do (


findstr and REG are called without file extension and without path
(although BOTH are well-known), so CMD.exe runs and from its “current working directory” “TrendMicro AntiThreat Toolkit\HC_ATTK”

The missing path and extension are BEGINNER’S error #1.

attk_ScanCleanOffline_gui_x86.exe and attk_ScanCleanOffline_gui_x64.exe
fail to restrict (at least write) access to this directory to user’s of
the “Administrators” group: this is BEGINNER’S error #2.

This UNPROTECTED directory is therefore writable by the unprivileged
user who can place a rogue
and there … and gains administrative privileges!


Additionally an unprivileged attacker can add arbitrary command lines to
the UNPROTECTED batch script batCollector.bat between its creation and
its execution, or replace it completely.

In a nutshell, Trend Micro has not fixed the original vulnerability and puts Windows users with its Toolkit at risk.

A month has passed since the October Security Advisory and the Trend Micro update. Trend Micro has confirmed they received the mail from Stefan Kanthak, so the manufacturer knows about the problem.

Has Trend Micros fixed the vulnerability?

So today I got the current version of the TM Anti-Thread Toolkit from the manufacturer and executed it in a test bed. The question was: Has the manufacturer fixed the reported issues?

  • Already during the download the Chrome browser warns (and that’s good) that the program is insecure and if I want to discard it. This time I instructed Chrome to keep the program, because I wanted to test it.
  • The .exe program requests administrative permissions from the user when it is called, so it runs with a higher permission level and can make all sorts of messes if it is compromised.
  • It starts the window of a command prompt in which the required modules are unpacked. Then the actual scan engine is called, which should check the system for malware.

Trend Micro Anti-Thread Toolkit DOS-Fenster
(Trend Micro Anti-Thread Toolkit command prompt window)

I executed the .exe file in a test environment (provided by Stefan Kanthak). This shows if a program calls DLL files in the path when starting or executing. In this case the test bed shows a warning dialog with further details.

Trend Micro Anti-Threat Toolkit (ATTK)-Tretmine hochgegangen
(Sentinel warning for Trend Micro Anti-Threat Toolkit (ATTK))

The above screenshot already shows such a warning, where the file GPAPI.dll was called by the toolkit via another DLL. Instead of executing the DLL from the Windows directory, a DLL from the test bed (which could be infected) was called. The dialog box shows that the calls are executed with high privilege and integrity levels. So the DLL can do everything an administrator is allowed to do. This is not the only warning now – if you close the dialog box,  more warnings about other DLLs like crypt32.dll etc. will be shown.

In short: If a malware places malicious files as appropriately named DLL files in the directory from which the Trend Micro Anti-Threat Toolkit is called (usually the download folder), they will be piggybacked by the Trend Micro Anti-Threat Toolkit with administrator privileges. So: Keep away from Trend Micro Anti-Threat Toolkit.

Similar articles:
Trend Micro WFBS 10.0 SP1: Patch Build 2179 with fixes
Trend Micro: Discloses Insider Threat Impacting Customer Data

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *