EDR as a tool designed to enhance enterprise information security, could potentially become a security threat if improperly designed. In this session, we will share our methods of abusing the implementation issues in Trend Micro Apex One EDR to achieve local privilege escalation. Our research is focus on the IPC mechanism between the Security Agent and System Service of Apex One, encompassing both architectural design and implementation issues. In the process, we discovered and reported over ten local privilege escalation vulnerabilities, and even after these vulnerabilities were patched, we could still find new bypass techniques. In this session, we will delve into the architectural issues of Apex One and the evolution of its IPC authentication mechanism, as well as the root causes and exploitation methods of these vulnerabilities. Through this discussion, we hope to enable developers to gain a deeper understanding of the security issues that may be encountered in system services and to be more rigorous when developing information security products.
Shih-Fong Peng, aka Lays, is Co-Founder and Security Researcher of TRAPA Security, currently focusing on reverse engineering and vulnerability research. He is a member of HITCON and 217 CTF team which achieved second place at DEF CON CTF 25 and 27. He is also one of the 2019, 2020 MSRC Most Valuable Security Researcher and has reported vulnerabilities to Microsoft, Google, Samsung, etc.
Blog: https://blog.l4ys.tw Twitter: @_L4ys
Lynn is a member of the iCYBER Advisor Security Team. She has successfully discovered and reported multiple vulnerabilities. Moreover, she was a member of the Balsn CTF team. Twitter: @0x000050