Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability
2016-08-09T00:00:00
ID ZDI-16-461 Type zdi Reporter k0rpr1t_z0mb1e Modified 2016-06-22T00:00:00
Description
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within AdHocQuery_SelectView.aspx. The issue lies in the failure to sanitize user-supplied input prior to executing an XML query. An attacker can use this information in conjunction with other vulnerabilities to execute code in the context of the process.
{"enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["TRENDMICRO_CONTROL_MANAGER_HOTFIX_3328.NASL"]}, {"type": "ics", "idList": ["ICSA-15-097-01"]}], "modified": "2020-06-22T11:41:10", "rev": 2}, "score": {"value": 1.5, "vector": "NONE", "modified": "2020-06-22T11:41:10", "rev": 2}, "vulnersScore": 1.5}, "edition": 3, "href": "https://www.zerodayinitiative.com/advisories/ZDI-16-461/", "modified": "2016-06-22T00:00:00", "published": "2016-08-09T00:00:00", "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability. The specific flaw exists within AdHocQuery_SelectView.aspx. The issue lies in the failure to sanitize user-supplied input prior to executing an XML query. An attacker can use this information in conjunction with other vulnerabilities to execute code in the context of the process.", "bulletinFamily": "info", "viewCount": 6, "title": " Trend Micro Control Manager AdHocQuery_SelectView XPATH Injection Information Disclosure Vulnerability", "references": ["http://esupport.trendmicro.com/solution/en-US/1114749.aspx"], "cvelist": [], "type": "zdi", "id": "ZDI-16-461", "lastseen": "2020-06-22T11:41:10", "reporter": "k0rpr1t_z0mb1e", "cvss": {"score": 0.0, "vector": "NONE"}, "scheme": null}
{"nessus": [{"lastseen": "2021-02-01T07:11:01", "description": "According to its version, the Trend Micro Control Manager application\ninstalled on the remote Windows host is 6.x prior to 6.0 SP 3 Hotfix\n3328 (6.0.0.3328). It is, therefore, affected by the following\nvulnerabilities :\n\n - A directory traversal vulnerability exists in the\n task_controller.php script due to improper sanitization\n of user-supplied input to the 'url' parameter. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted request, to disclose arbitrary\n files.\n\n - A flaw exists in the AdHocQuery_SelectView.aspx script\n due to improper sanitization of user-supplied input\n before executing XML queries. An authenticated, remote\n attacker can exploit this to inject XPATH content,\n resulting in gaining access to sensitive information.\n\n - Multiple XML external entity (XXE) injection\n vulnerabilities exist due to an incorrectly configured\n XML parser accepting XML external entities from\n untrusted sources. Specifically, these issues occur in\n the DeploymentPlan_Event_Handler.aspx, ProductTree.aspx,\n and TreeUserControl_process_tree_event.aspx scripts. An\n authenticated, remote attacker can exploit these issues,\n via specially crafted XML data, to gain access to\n sensitive information.\n\n - Multiple SQL injection (SQLi) vulnerabilities exist due\n to improper sanitization of user-supplied input before\n using it in SQL queries. Specifically, these issues\n occur in the AdHocQuery_CustomProfiles.aspx and\n cgiCMUIDispatcher.exe scripts. An authenticated, remote\n attacker can exploit these issues to inject SQL queries\n against the back-end database, resulting in the\n disclosure or manipulation of arbitrary data. Moreover,\n the attacker can exploit these issues to inject PHP\n payloads, which can be then called and executed.", "edition": 30, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2016-09-14T00:00:00", "title": "Trend Micro Control Manager 6.x < 6.0 SP3 Hotfix 3328 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6220"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:trend_micro:control_manager"], "id": "TRENDMICRO_CONTROL_MANAGER_HOTFIX_3328.NASL", "href": "https://www.tenable.com/plugins/nessus/93482", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93482);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-6220\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-455\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-456\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-457\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-458\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-459\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-460\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-461\");\n script_xref(name:\"ZDI\", value:\"ZDI-16-462\");\n\n script_name(english:\"Trend Micro Control Manager 6.x < 6.0 SP3 Hotfix 3328 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of cgiHandlerScheduleDownload.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A security management application installed on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Trend Micro Control Manager application\ninstalled on the remote Windows host is 6.x prior to 6.0 SP 3 Hotfix\n3328 (6.0.0.3328). It is, therefore, affected by the following\nvulnerabilities :\n\n - A directory traversal vulnerability exists in the\n task_controller.php script due to improper sanitization\n of user-supplied input to the 'url' parameter. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted request, to disclose arbitrary\n files.\n\n - A flaw exists in the AdHocQuery_SelectView.aspx script\n due to improper sanitization of user-supplied input\n before executing XML queries. An authenticated, remote\n attacker can exploit this to inject XPATH content,\n resulting in gaining access to sensitive information.\n\n - Multiple XML external entity (XXE) injection\n vulnerabilities exist due to an incorrectly configured\n XML parser accepting XML external entities from\n untrusted sources. Specifically, these issues occur in\n the DeploymentPlan_Event_Handler.aspx, ProductTree.aspx,\n and TreeUserControl_process_tree_event.aspx scripts. An\n authenticated, remote attacker can exploit these issues,\n via specially crafted XML data, to gain access to\n sensitive information.\n\n - Multiple SQL injection (SQLi) vulnerabilities exist due\n to improper sanitization of user-supplied input before\n using it in SQL queries. Specifically, these issues\n occur in the AdHocQuery_CustomProfiles.aspx and\n cgiCMUIDispatcher.exe scripts. An authenticated, remote\n attacker can exploit these issues to inject SQL queries\n against the back-end database, resulting in the\n disclosure or manipulation of arbitrary data. Moreover,\n the attacker can exploit these issues to inject PHP\n payloads, which can be then called and executed.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://success.trendmicro.com/solution/1114749\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-455/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-456/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-457/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-458/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-459/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-460/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-461/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-16-462/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Trend Micro Control Manager version 6.0 SP3 Hotfix\n3328 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6220\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:trend_micro:control_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"trendmicro_control_manager_detect.nbin\");\n script_require_keys(\"installed_sw/Trend Micro Control Manager\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"Trend Micro Control Manager\";\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\n\nbase_ver = install['version'];\npath = install['path'];\n\nif (base_ver =~ \"^6\\.\")\n{\n dll = path + \"\\cgiHandlerScheduleDownload.dll\";\n version = hotfix_get_fversion(path:dll);\n hotfix_handle_error(error_code:version['error'], file:dll, appname:appname, exit_on_fail:TRUE);\n hotfix_check_fversion_end();\n\n version = join(sep:'.', version['value']);\n fix = \"6.0.0.3328\";\n\n if ( ver_compare(ver:version, fix:fix, strict:FALSE) <0 )\n {\n port = kb_smb_transport();\n\n report = '\\nProduct : ' + appname +\n '\\nFile : ' + dll +\n '\\nFile Version : ' + version +\n '\\nFixed Version : ' + fix +\n '\\n';\n security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);\n }\n else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, dll);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, base_ver);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "ics": [{"lastseen": "2021-02-24T09:27:56", "bulletinFamily": "info", "cvelist": ["CVE-2015-0986"], "description": "## OVERVIEW\n\nHP\u2019s Zero Day Initiative (ZDI) reports that independent researcher Ariele Caltabiano has identified a stack-based buffer overflow vulnerability in the Moxa VPort ActiveX SDK Plus application. Moxa has produced an update that mitigates this vulnerability.\n\nThis vulnerability could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nThe following Moxa VPort ActiveX SDK products (all versions prior to Version 2.8) are affected:\n\n * MxNVR-MO4 Series,\n * VPort 26A-1MP Series,\n * VPort 351,\n * VPort 354,\n * VPort 36-1MP Series,\n * VPort 364A Series,\n * VPort 451,\n * VPort 461,\n * VPort 56-2MP Series,\n * VPort P06-1MP-M12,\n * VPort P06HC-1MP-M12 Series,\n * VPort P16-1MP-M12 Series, and\n * VPort P16-1MP-M12-IR Series.\n\n## IMPACT\n\nSuccessful exploitation of this vulnerability may allow remote attackers to execute arbitrary code at the same privilege level at which VPort was running.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nMoxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, and Brazil.\n\nThe affected products, Moxa VPort, is a family of camera, recorder, and encoders. ActiveX Control is an OCX component that uses Microsoft COM (Component Object Model) technology to enable software components to communicate. ActiveX is found in VB, VC, and C# developing environments, as well as plug-ins for web applications and automation tools (e.g., SCADA software). According to Moxa, VPort ActiveX SDK products are deployed across all 16 sectors. Moxa estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### STACK-BASED BUFFER OVERFLOWa\n\nA function in ActiveX has a Stack-Based Buffer Overflow vulnerability. Successful exploitation of this vulnerability may allow insertion of lines of assembly code such as a call to another tool.\n\nCVE-2015-0986b has been assigned to this vulnerability. ZDI has assigned a CVSS v2 base score of 7.5; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).c\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThis vulnerability could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target this vulnerability.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to craft a working exploit for this vulnerability.\n\n## MITIGATION\n\nMoxa has produced an update that mitigates this vulnerability.\n\n<http://www.moxa.com/support/download.aspx?d_id=2114>\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n * Use input validation prior to the execution of requests.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * aCWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed April 07, 2015.\n * bNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0986, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * cCVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P, web site last accessed April 07, 2015.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-15-097-01>); we'd welcome your feedback.\n", "edition": 17, "modified": "2018-08-27T00:00:00", "published": "2015-04-07T00:00:00", "id": "ICSA-15-097-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-15-097-01", "title": "Moxa VPort ActiveX SDK Plus Stack-Based Buffer Overflow Vulnerability", "type": "ics", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
