Trend Micro Threat Intelligence Manager Arbitrary Code Execution
- Published: 30 Dec 2016
Trend Micro Threat Intelligence Manager Arbitrary Code Execution
Share
Type
- Arbitrary Code Execution
Severity
- High
Affected products
- Trend Micro Threat Intelligence Manager (TIM)
CVE Reference
- N/A
Timeline
| 24/7/2015 | Vulnerability documented |
| 30/7/2015 | Trend Micro contacted via security@trendmicro.com |
| 31/7/2015 | 5 advisories sent to Trend Micro with provided PGP key |
| 10/9/2015 | MWR disclosure timeline requested due to internal discussions at Trend Micro RE: remediation |
| 20/10/2015 | MWR request update from Trend Micro |
| 12/11/2015 | Trend Micro issue statement and request coordinated disclosure on 17th November 2015 |
| 15/01/2016 | MWR publish advisories |
A vulnerability was found in the Trend Micro Threat Intelligence Manager (TIM) which allows an authenticated user to write an arbitrary PHPfile to the TEMP directory and then execute said file traversing and including this file.
By chaining together other TIM vulnerabilities discovered with this, an unauthenticated attacker can achieve arbitrary PHP code execution.
Description
The Threat Intelligence Manager (TIM) interface exposes a file called write\_image.php which requires authentication to access and takes two parameters:
- filename
- bdata
The filename parameter is used to specify the filename that is to be written, and the parameter bdata takes a base64 encoded string which is then decoded and written as the contents to the previously specified filename. This file is written to the Windows TEMP folder (on Windows 7, this is C:\Windows\TEMP) and it is not possible to traverse out of this directory, due to the use of pathinfo()[‘basename’] to obtain the filename as user input is not trusted.
Using this vulnerability, it is possible to write an arbitrary file called Proxy.php into C:\Windows\TEMP.
In addition, the TIM interface also exposes a file called widget_framework2/proxy_controller.php which allows for the inclusion and execution of a local PHP file to an authenticated user via system().
Impact
Together with 1, the vulnerabilities described in this advisory would allow an attacker to achieve arbitrary PHP code execution by chaining them in this sequence:
- Access to authenticated functionality by an unauthenticated user 1
- Write an arbitrary
Proxy.phpfile to the local TEMP file directory (this advisory) - Execute arbitrary code as ‘NT AUTHORITY/SYSTEM’ in
Proxy.phpby traversing to TEMP directory (this advisory)
Solution
It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available.
Trend Micro’s official response to this vulnerability can be found as follows:
“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.
The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”
Technical Details
Refer to attached detailed advisory above.