New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE. #7191

Merged
merged 3 commits into from Nov 14, 2016

Conversation

Projects
None yet
8 participants
@QKaiser
Copy link
Contributor

QKaiser commented Aug 8, 2016

Name: Trend Micro Smart Protection Server Exec Remote Code Injection
Module: exploit/linux/http/trendmicro_sps_exec
Platform: Linux
Privileged: No
License: Metasploit Framework License (BSD)
Disclosed: 2016-08-08

This module exploits a vulnerability found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Please note that authentication is required to exploit this vulnerability.

Advisory: http://qkaiser.github.io/pentesting/trendmicro/2016/08/08/trendmicro-sps/

@wwebb-r7

This comment has been minimized.

Copy link
Contributor

wwebb-r7 commented Sep 20, 2016

This probably would have been landed over a month ago, but obtaining the software for testing has so far been a pain.

@stevenseeley

This comment has been minimized.

Copy link
Contributor

stevenseeley commented Oct 6, 2016

Actually, that was pretty easy to validate.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Oct 6, 2016

Cool, did it work for you @stevenseeley ?

@stevenseeley

This comment has been minimized.

Copy link
Contributor

stevenseeley commented Oct 6, 2016

@busterb like a charm, but module design needs to be a little improved.

end
end
Exploit::CheckCode::Safe
end

This comment has been minimized.

@bwatters-r7

bwatters-r7 Oct 11, 2016

Contributor

I'm confused by the double Exploit::Checkcode::Safe. Is there a reason for it? Should the second one be unknown, maybe? I feel like it should be unknown.

end
end
end
Exploit::CheckCode::Safe

This comment has been minimized.

@bwatters-r7

bwatters-r7 Oct 11, 2016

Contributor

Same double-safe, even if the response is not as expected.

This comment has been minimized.

@QKaiser

QKaiser Oct 28, 2016

Contributor

You're right. Second one should be unknown. Just fixed it :)

print_status("Version: #{version}")
print_status("Build: #{build}")
if (version == 3.0 and build < 1330) or
(version == 2.6 and build < 2106) or

This comment has been minimized.

@h00die

h00die Oct 28, 2016

Contributor

would these version checks be more simple with a Gem::version?

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Nov 4, 2016

I thought I had the vulnerable software to test, but turns out I don't. It looks like I am not able to verify this PR for now. I would like to unassign myself to avoid hijacking the PR. If anybody has an idea where to get the vulnerable software (trial?), please let me know. Thanks!

@wchen-r7 wchen-r7 removed their assignment Nov 4, 2016

@jmartin-r7 jmartin-r7 self-assigned this Nov 14, 2016

@jmartin-r7 jmartin-r7 merged commit c7b775a into rapid7:master Nov 14, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

jmartin-r7 added a commit that referenced this pull request Nov 14, 2016

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Nov 14, 2016

Release Notes

This module exploits a vulnerability CVE-2016-6267 found in TrendMicro Smart Protection Server where untrusted inputs are fed to ServWebExec system command, leading to command injection. Shell access obtained is within 'webserv' service user context. Please note that authentication is required to exploit this vulnerability. Unpatched versions 2.5, 2.6, and 3.0 are vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment