CVE-2018-10513

Vulnerability

The vulnerability is a deserialization of untrusted data in Trend Micro Security 2018 (Consumer) products, including Trend Micro Maximum Security. It resides in the coreServiceShell.exe service process when handling ID_AMSP_MASTER requests. The service does not properly validate user-supplied data before deserializing it, leading to arbitrary code execution. The flaw affects versions of Trend Micro Security 2018 that include this service component [1].

Exploitation

An attacker must first gain the ability to execute low-privileged code on the target system. From that position, the attacker can send a crafted request to the coreServiceShell.exe service, triggering the deserialization of untrusted data. The specific request involves the ID_AMSP_MASTER buffer, which is not validated for malicious content. This allows the attacker to achieve code execution with the privileges of the service [1].

Impact

Successful exploitation leads to privilege escalation from a low-privileged user to the SYSTEM account, the highest privilege level on Windows. The attacker gains full control over the system, including the ability to read, modify, or delete files, install programs, and create new accounts with full user rights [1].

Mitigation

Trend Micro released a patch for this vulnerability on August 30, 2018. Users should update to the latest version of Trend Micro Security 2018 (Consumer) products. There is no known workaround, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities Catalog as of this writing [1].