SSD Advisory – Trend Micro Threat Intelligence Manager Multiple Vulnerabilities Remote Code Execution
SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Threat Intelligence Manager provides actionable security intelligence to quickly respond to advanced and hidden threats to enable you to practively resond to enterprise security threats.
Trend Micro Threat Intelligence Manager installs a secure web interface (httpd.exe, tcp port 443/https) which listens for incoming requests. Several vulnerabilities have been found in the product that would allow a remote attacker to cause the product to execute arbitrary code.
Arbitrary File Reading
There are various scripts called ‘sampleReporting.php’ containing an arbitrary file reading vulnerability:
C:\Program Files\Trend Micro\Threat Intelligence Manager\web\htdocs\widget_framework2\repository\widgetPool\wp1\widget_backup\modSample\sampleReporting.php
C:\Program Files\Trend Micro\Threat Intelligence Manager\web\htdocs\widget_framework2\repository\widgetPool\wp1\widget_backup\modSample2\sampleReporting.php
C:\Program Files\Trend Micro\Threat Intelligence Manager\web\htdocs\widget_framework2\repository\widgetPool\wp1\widget_backup\modSample3\sampleReporting.php
<?php $filename = $_REQUEST['fakename']; $ini_handle = fopen($filename, "r"); $ini_contents = fread($ini_handle, filesize($filename)); fclose($ini_handle); echo $ini_contents; ?>
Through the ‘fakename’ argument is possible to specify an absolute path or directory traversal specifiers, so it is possible to read arbitrary files with NT AUTHORITY\SYSTEM privileges.
Sensitive Information Disclosure
The password of the ‘admin’ user is used as an encryption key for some contents and is written in clear text inside a file called install.2.log during the setup process:
C:\Program Files\Trend Micro\Threat Intelligence Manager\install.2.log
DEBUG - SHA256Crypt::crypt key: MYPASS472384@F
Combining the Arbitrary File Reading and Sensitive Information Disclosure vulnerabilities it is possible to read this password and login to the target application as the ‘admin’ user.
When the user is logged in it is possible to trigger various eval() injection vulnerabilities through a custom request method. The vulnerable code is found inside, C:\Program Files\Trend Micro\Threat Intelligence Manager\web\htdocs\middleware_rev\handlers\proxy\proxy.php:
Vulnerable code can be found near line 68:
eval('$http_method = HTTP_METH_' . $_SERVER['REQUEST_METHOD'] . ';');
The $_SERVER[‘REQUEST_METHOD’] parameter is used insecurely, a remote user could specify a custom request method to inject arbitrary PHP code:
POST;system($_GET[cmd]);// /somepath/?cmd=command HTTP/1.1
Given this a remote attacker could execute arbitrary script code/commands with NT AUTHORITY\SYSTEM privileges.
Trend Micro Threat Intelligence Manager 220.127.116.118
The vendor has released a patch to address these issues: [Vulnerability Confirmation] Susceptibility of system password to be uncovered by attackers of Threat Intelligence Manager (TIM).
A single CVE entry has been given to all three vulnerabilities: CVE-2014-2204.