Trend Micro Deep Discovery Director vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201787984
Type myhack58
Reporter 佚名
Modified 2017-07-19T00:00:00


Vulnerability information Type: OS command in the special elements improper handling of[CWE-78], use of hard-coded cryptographic keys[CWE-321], data authenticity verification is insufficient[CWE-345] Impact: code execution Remote exploit: Yes Local exploit: Yes CVE name: CVE-pending-assignment-1, CVE-pending-assignment-2, CVE-pending-assignment-3 Vulnerability description According to Trend Micro's site said: Trend Micro Deep Discovery Director 1.1 [1]is a preset-type solutions, you can complete the Deep Discovery of the various application updates, upgrades, and virtual Analyzer image, and the Deep Discovery application copy the configuration of the centralized Scheduler. We are in Deep Discovery Director app backup restore process discovered multiple vulnerabilities an attacker could exploit these vulnerabilities to access the Management Console, and as root execute the command. The affected packages Trend Micro Deep Discovery Director 1.1(Build 1241) Other products and versions of the night may be affected, but have not been tested. Vendor information, solutions and workarounds Trend Micro released the following patches: Deep Discovery Director 1.1 Critical Patch - Build 1249: Thanks These vulnerabilities by Core Security Consulting Services Company Maximiliano Vidal the study found. This Advisory information is published you need to thank the core team of consultants of Alberto Solino of coordination. Technical description/proof of concept code The pre-solution comprises a reinforcement type of the virtual device, in addition to the Web Management Console outside, no other remote access functions. On the virtual machine that has local access rights of the user is bound to a preconfigured console, the administrator can from the console to complete the initial network settings. At the same time, Shell access is not allowed. The Web Management Console From nginx for a Flask application components. The following sections describe the Backup/Recovery mechanisms in the discovery of security issues, as well as how to root get the code execute permissions for details. Please note that these operation is predicated, it is assumed the attacker has been in the Web Console through the corresponding authentication. No backup to verify [CVE-pending-assignment-3], for the configuration and database backup of the archive, in addition to must be used on all devices is a static hard-coded passwords are encrypted with more detailed information, see 7. 2, without any form of signature or verification process. This means that the application can try to recover the modified archive. Hard-coded archive password [CVE-pending-assignment-2], found that the backup archive encryption process, use a multi-test installed in the default static password to the encryption, that is to say, in all virtual device instances using the same password. BackupManager class for detailed explanation of these archive generation mode: class BackupManager(object): [...] _AES_KEY = '9DBD048780608B843A0294CD'

def init(self, is_manual = False, file_struct = None, target_partition = None, config_ini = None, config_db = None, config_systemfile = None, agent_file = None, meta_file = None, backup_path = None, backup_zip = None, backup_pw = None, restore_path = None, restore_statusfile = None): [...] decryptor = AESCipher(self. _AES_KEY) self. backup_pw = backup_pw if backup_pw else decryptor. decrypt(RESTORE_ZIP_PW) [...] backup_pw by backup_ddd method of generating the archive file: @with_file_lock(LOCK_UPDATE_IN_PROGRESS, blocking=False) @check_shutdown def backup_ddd(self): LOG. debug('Start to backup DDD') [...] os. chdir(tmp_backup_fd) filelist = [ f for f in os. listdir('./') ] compress_file(self. backup_zip, filelist, password=self. backup_pw, keep_directory=True) In addition, it can also be used to decrypt the archive: @with_file_lock(LOCK_UPDATE_IN_PROGRESS, blocking=False) @check_shutdown def upload_package(self, stream, file_name): if not self. _extract_meta(self. restore_zip): LOG. debug('Failed to extract meta') self. _clean_uploaded_package() update_status(status=self. STATUS_FAIL, error=RESTORE_INVALID_PACKAGE. code) raise PBobServerCommonException(RESTORE_INVALID_PACKAGE) [...]

def _extract_meta(self, restore_zip): command = ['unzip', '-P', self. backup_pw, '-p', restore_zip, self. meta_file] fd = file(self. meta_fp, 'w') p = subprocess. Popen(command, stdout=fd, stderr=subprocess. PIPE) ret = p. wait() fd. flush() fd. close() if ret != 0: LOG. error('Fail to unzip meta file. ret: {}, stderr:[{}]'. format(ret, p. stderr)) ret = False else: ret = True return ret RESTORE_ZIP_PW specific definition in common_modules / common / constants. pyc file, specifically as follows:

RESTORE_ZIP_PW = 'hZrMrlTvOhiM9GaDirYQ/HQ3JSalxGOXTsJDy9gde2Q=' Password you can use the following script for decryption:

[1] [2] [3] next