piątek, 12 stycznia 2018

Wipe TrendMicro - Deep Discovery Inspector

Well. This time I found that if you're logged-in you can 'wipe' remote device using one request... Here we go...

TrendMicro's device mentioned before is called "Deep Discovery Inspector". Version I found was described as '2014' so (probably) 1) bug is already patched; 2) bug is already known. (I don't know and I will leave it to you (mr.vendor;]) as an exercise.) Anyway.

Use your default credentials (lmgtfy.com). Now:


In the main dashboard you will see few tabs. Check: Administration > User Accounts (on right):


Here you will find the list of users 'available' on the device (afaik because after the attack (and restarting the device) default admin user (with our password) is not able to log in again... later).

Now, after I found the bug (using BurpSuite) I prepared small script in python to 'verify the bug'. Below you will find results:



Script is pretty simple ;] but it works, so enjoy.

By the way, even if a proper-admin is logged in, he/she can still use DDI device :]

Session will disappear after logout (or F5 like below) ;)


After F5:


Hm... logout/login again?


logout
login again

So? Restarting the device? No problem, let's try:


So - no.

(btw maybe you're wondering how to trick admin to do the request via webapp? try with XSS ;]

sample request:


with 'sample' response(s with XSSed params ;Z )

anyway... "vendor" probably "already knows about it" so I will not waste his time and send an email again. ;*

)

More you will find here. ;]

o/




Brak komentarzy:

Prześlij komentarz