Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE. #7191

Merged
merged 3 commits into from Nov 14, 2016
Merged

Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE. #7191

merged 3 commits into from Nov 14, 2016

Conversation

qkaiser
Copy link
Contributor

@qkaiser qkaiser commented Aug 8, 2016

Name: Trend Micro Smart Protection Server Exec Remote Code Injection
Module: exploit/linux/http/trendmicro_sps_exec
Platform: Linux
Privileged: No
License: Metasploit Framework License (BSD)
Disclosed: 2016-08-08

This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note that authentication is required to exploit this vulnerability.

Advisory: http://qkaiser.github.io/pentesting/trendmicro/2016/08/08/trendmicro-sps/

@wwebb-r7
Copy link
Contributor

This probably would have been landed over a month ago, but obtaining the software for testing has so far been a pain.

@stevenseeley
Copy link
Contributor

Actually, that was pretty easy to validate.

@busterb
Copy link
Contributor

busterb commented Oct 6, 2016

Cool, did it work for you @stevenseeley ?

@stevenseeley
Copy link
Contributor

@busterb like a charm, but module design needs to be a little improved.

bwatters-r7
bwatters-r7 reviewed Oct 11, 2016
View reviewed changes
modules/exploits/linux/http/trendmicro_safesync_exec.rb
end
end
Exploit::CheckCode::Safe
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm confused by the double Exploit::Checkcode::Safe. Is there a reason for it? Should the second one be unknown, maybe? I feel like it should be unknown.

modules/exploits/linux/http/trendmicro_sps_exec.rb
end
end
end
Exploit::CheckCode::Safe
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same double-safe, even if the response is not as expected.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. Second one should be unknown. Just fixed it :)

h00die
h00die reviewed Oct 28, 2016
View reviewed changes
modules/exploits/linux/http/trendmicro_sps_exec.rb
print_status("Version: #{version}")
print_status("Build: #{build}")
if (version == 3.0 and build < 1330) or
(version == 2.6 and build < 2106) or
Copy link
Contributor

@h00die h00die Oct 28, 2016
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would these version checks be more simple with a Gem::version?

@wchen-r7
Copy link
Contributor

wchen-r7 commented Nov 4, 2016

I thought I had the vulnerable software to test, but turns out I don't. It looks like I am not able to verify this PR for now. I would like to unassign myself to avoid hijacking the PR. If anybody has an idea where to get the vulnerable software (trial?), please let me know. Thanks!

@wchen-r7 wchen-r7 removed their assignment Nov 4, 2016
@jmartin-tech jmartin-tech self-assigned this Nov 14, 2016
@jmartin-tech jmartin-tech merged commit c7b775a into rapid7:master Nov 14, 2016
jmartin-tech added a commit that referenced this pull request Nov 14, 2016
@jmartin-tech
Land #7191, Add exploit for CVE-2016-6267 - Trend Micro Smart Protect…
4ae90cb 
…ion Server authenticated RCE.
@jmartin-tech
Copy link
Contributor

jmartin-tech commented Nov 14, 2016
edited

Release Notes

This module exploits a vulnerability CVE-2016-6267 found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Shell access obtained is within 'webserv' service user context. Please note that authentication is required to exploit this vulnerability. Unpatched versions 2.5, 2.6, and 3.0 are vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die h00die left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@jmartin-tech jmartin-tech

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@qkaiser @wwebb-r7 @stevenseeley @busterb @wchen-r7 @jmartin-tech @h00die @bwatters-r7