czwartek, 17 sierpnia 2017

RCE in Trend Micro IMSVA 9.1

Found 16.08.2017 during some research. Maybe you will find it useful.

And, yeah... It's for auth-users only. Anyway... ;) Have fun.

Version we are talking about you will find described here.

According to some Google-results I was wondering if I will find something similar.

Let's skip the part related to few XSS bugs...

...results with HTML injected inside the table:

... "h4x0r magic" with Burp Free:

...and... we are here:

...and to not to talk about XSS anymore here, one more picture as a hint:

So. Let's back to that "RCE".

Admin's panel is vulnerable (I asummed 'for a DoS') to injection. Period.

Check this out:

During testing the webapp available on port 8445/tcp I was wondering why my session (for logged-in user) is dropped (during one payload or another). I logged in to VM to check HTTP logs. This is what I found:

You can easily spot the long line with "AAAAAA...". This is one of the 'payloads' (let's say ;)).

So. I was wondering if we can achieve similar results to bugs described:
- here - as CVE-2017-11392
- here - as CVE-2017-11391
- or here - as CVE-2017-6340

As we already saw some XSS(s), let's see what we have here:

After sending some requests I saw this message (and "logged-in" session was destroyed):

Next thing I decide to do was to try to escape from the command started by webapp during request. One of example requests below:

Simple enough to find that:

So now we are here:

As you can see sys_desname parameter is vulnerable to injection.

(P.S. Reason for 'destroying session' in the last line on the picture above ;))

Cheers .

Brak komentarzy:

Prześlij komentarz