1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro
  6. News
  7. Summary
    4704   JP3637300009


Delayed Japan Exchange  -  05/24 02:00:00 am EDT
7430.00 JPY   -0.40%
05/16Cyber professionals gathered at Helsinki Expo and Convention Centre after a three years' break
04/25TREND MICRO : New Partner Bit Discovery Helps TM with Attack Surface
04/25Trend Micro Announces the Launch of Trend Micro One, a Unified Cybersecurity Platform
SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro : Analyzing an Old Bug and Discovering CVE-2021-30995

01/14/2022 | 06:42am EDT

On April 26, 2021 Apple patched CVE-2021-1740, which was a vulnerable function inside the system daemon process cfprefsd (these types of processes usually run in the background and handle system tasks). The bug could have been exploited to read arbitrary files, write arbitrary files, and get root privilege escalation. It was addressed in Apple's Security Update 2021-002 (Catalina) for a variety of Apple operating systems, including iOS and macOS. However, in early August 2021, Zhipeng Huo, Yuebin Sun, and Chuanda Ding (all from XuanwuLab) presented an exploitation demonstration for the vulnerability during the DEF CON 29 security conference. Their presentation was called "Caught you - reveal and exploit IPC logic bugs inside Apple ".

While studying the slides, I found that the patch for CVE-2021-1740 was still vulnerable to arbitrary file read exploits. Apple fixed this flaw, and on September 20, 2021 assigned CVE-2021-30855 to the second patch.

However, I found that the second patch was still vulnerable to arbitrary file write and root privilege escalation. This vulnerability issue was brought forward and addressed on December 13, 2021, with Apple assigning CVE-2021-30995 as the third patch (credited to this author). Apple released Security Update 2021-008 (Catalina) to secure their affected products, so any users who installed these updates should be protected.

The report detailed below shows the investigation of the original vulnerability, and the process that led me to discover CVE-2021-30995.

Tracking the patching history

To fully investigate the vulnerability first reported in April, we should illustrate how an attack could work. The key logic of the vulnerable function [CFPDSource cloneAndOpenPropertyListWithoutDrainingPendingChangesOrValidatingPlist] is:

If the controllable plist file size is larger than 1MB, then it will be cloned to a temporary file with a random name and return the file descriptor of the new cloned one.

The arbitrary file write attack from the XuanwuLab researchers' DefCon slides show that it replaced the fixed file name of the dst_path with a symbolic link before the API call clonefile.

After getting the primitive of arbitrary file write, there are some known ways to get root privilege escalation. One simple method involves the use of periodic scripts, outlined by Csaba Fitzl.

For the issues with the second patch, we can see the new API call fclonefileat at line 25 (in Figure 1). The target directory fd is -2, and v6 is the full path of the temporary plist file. So, I found that I could replace the target parent directory with a symbolic link to an arbitrary directory.


Trend Micro Inc. published this content on 14 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 January 2022 11:41:01 UTC.

© Publicnow 2022
All news about TREND MICRO
05/16Cyber professionals gathered at Helsinki Expo and Convention Centre after a three years..
04/25TREND MICRO : New Partner Bit Discovery Helps TM with Attack Surface
04/25Trend Micro Announces the Launch of Trend Micro One, a Unified Cybersecurity Platform
04/24TREND MICRO : How to better manage your digital attack surface risk
04/20TREND MICRO : Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency..
04/19CRITICALLY UNDERRATED : Studying the Data Distribution Service (DDS) Protocol
04/18TREND MICRO : An Investigation of the BlackCat Ransomware via Trend Micro Vision One
04/18CYBER RISK INDEX (2H' 2021) : An Assessment for Security Leaders
04/13OT cybersecurity provider TXOne Networks expands its presence in Europe
04/08CVE-2022-22965 : Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing a..
More news
Sales 2022 207 B 1 622 M 1 622 M
Net income 2022 32 018 M 251 M 251 M
Net cash 2022 213 B 1 666 M 1 666 M
P/E ratio 2022 32,4x
Yield 2022 2,21%
Capitalization 1 041 B 8 147 M 8 147 M
EV / Sales 2022 4,00x
EV / Sales 2023 3,67x
Nbr of Employees 7 024
Free-Float 94,6%
Duration : Period :
Trend Micro Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 12
Last Close Price 7 460,00 JPY
Average target price 7 150,00 JPY
Spread / Average Target -4,16%
EPS Revisions
Managers and Directors
Yi Fen Chen Auditor
Mahendra Negi Group CFO, COO & Representative Director
Ming Jang Chang Representative Director
Oscar Chang Executive Vice President-Research & Development
Max Cheng Chief Information Officer & Executive VP
Sector and Competitors
1st jan.Capi. (M$)
TREND MICRO16.74%8 147
SYNOPSYS INC.-16.69%46 998
SEA LIMITED-65.47%43 240