-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Trend Micro WebSecurity Remote Code Execution #13645
Conversation
Yep it's. There is a download link of the product in the documentation file of the module. |
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
i've downloaded the file in case they update the website. i'll see if i can get to looking at this in a few days |
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
Awesome ! I will fix grammar and typos with a single commit once I've got full review. @bcoles |
My first test run was a bust (never logged into the website):
While I get now why it didn't work, I think we can work on the language a bit to make it more obvious |
Please run msftidy_docs.
|
I'm not getting any hits on the
Those are valid JSESSIONIDs for my admin user. Maybe add those to the check? Also, good things to add to the docs so we know what the log items look like. |
After making this change:
I was able to get it to run.
|
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
Outdated
Show resolved
Hide resolved
Any idea on the JSESSIONID difference?
|
That's strange.. On my lab, I've installed all the minor patches too. Maybe, the function that prints out |
Let me know when you're all set and I'll take a look |
@h00die Thanks. I think it's ready for review 👍 |
This looks much better :) |
Any reason you're using instance variables (@) vs returning the jsessionid? from a quick look over, it seemed like you could just return it. Had a few suggestions for fixes: mdisec#2 |
fixing up some styling and rubocop run
Thanks for MR @h00die ! I merged it <3.
Another approach could be calling For me, both approaches do what we need. But instance variable makes more sense for me in these kinds of situations. Whenever I see an instance variable, I think that variable is important for the exploitation and has to be accessible from multiple functions of the exploit module. |
Latest changes are working and looking good.
Logged in to the service
|
Release NotesThe Trend Micro Web Security (Virtual Appliance) Remote Code Execution uses three exploits, that when chained together allows for remote code execution in Trend Micro WebSecurity 6.5. The vulnerabilities are identified as : |
Thanks for the PR @mdisec , and sticking with all the changes requested. It's quite a dynamic module now! |
Hi, I have downloaded the above vulnerable iso file of web security appliance and installed it in virtualbox. I kept both the attacker (kali) and target(trendmicro) on the same host only network. However I can't access the target port (8443). from my attacker machine. What mistake I am ding here? |
What output do you get? This module expects the
|
Hi, Thanks for your quick reply. But the module worked as mentioned after restarting the Trend Micro web security appliance. So the problem is solved. |
Hi everyone !
This module exploits multiple vulnerabilities together in order to achieve a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user.
Verification Steps
A successful check of the exploit will look like this:
msfconsole
use exploit/linux/http/trendmicro_websecurity_exec
RHOST
LHOST
check
The target is vulnerable.
exploit
Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858
in console.Scenerio
This module has been tested against Trend Micro Web Security 6.5-SP2_Build_Linux_1852.
#Nahamcon2020