In this presentation, I will talk about my experience after researching on various enterprise offerings by Trend Micro. I will also share details about the (approximately 10) different vulnerabilities that I found and how they can be combined into different exploit chains to achieve Remote Code Execution (RCE) on these applications, namely: "Trend Micro Apex Central" and "Trend Micro Mobile Security (Enterprise)", which are used internally by big companies. The root-cause and indicators of compromise of these vulnerabilities will then be examined, as well as the official patches by Trend Micro. Some highlights of the talk include: perfect golfing to achieve RCE, classic 3-bug chain pre-authentication RCE (with CVSS 3.1 score of 9.8), as well as combining limited primitives to achieve RCE. Finally, I will also share about how to look out for such vulnerabilities in other similar programs.
Poh Jia Hao is a Security Researcher at STAR Labs SG Pte. Ltd. for the past 2 years, whose focus is mainly on web application security. Jia Hao has multiple CVEs in various applications under his name over the past years. He is always interested in staying up to date about the latest hacking techniques used to challenge the assumptions. Besides performing vulnerability research, Jia Hao also has experience in penetration testing, as well as being Offensive Security-certified OSCP, OSWP and OSWE.