Trend Micro Threat Intelligence Manager Partial Authentication Bypass

  • Published: 30 Dec 2016

Trend Micro Threat Intelligence Manager Partial Authentication Bypass

Share

Type

  • Partial Authentication Bypass

Severity

  • High

Affected products

  • Trend Micro Threat Intelligence Manager (TIM)

CVE Reference

  • N/A
Timeline
24/7/2015Vulnerability documented
30/7/2015Trend Micro contacted via security@trendmicro.com
31/7/20155 advisories sent to Trend Micro with provided PGP key
10/9/2015MWR disclosure timeline requested due to internal discussions at Trend Micro RE: remediation
20/10/2015MWR request update from Trend Micro
12/11/2015Trend Micro issue statement and request coordinated disclosure on 17th November 2015
15/01/2016MWR publish advisories

Download the advisory here

A vulnerability was found in the Trend Micro Threat Intelligence Manager (TIM) which allows authentication to be partially bypassed, and allowed access to functionalities restricted only allowed to authenticated users. MWR has discovered two methods to achieve this.

By chaining together other TIM vulnerabilities discovered with this, an unauthenticated attacker can achieve arbitrary PHP code execution.

Description

The Trend Micro Threat Intelligence Manager (TIM) is made up of two web interfaces. One that listens externally on port 80 (PHP), and one that, while listens externally, only allows requests from localhost on port 8080 (JSP). The user would authenticate only to the PHP interface, and the application would then internally forward the authentication request to the JSP interface and assign valid session IDs for both interfaces. Only the PHP interface session ID is exposed to the user in the form of PHPSESSID cookie, whereas the JSP interface session ID is added as a value to your PHP session ID with the key ‘session_key’.

Through the abuse of inbuilt functionality, it was possible to generate a session that appears to be a valid authenticated session for the PHPinterface only, without any information with regards to credentials.

Impact

This allows authentication to be partially bypassed, allowing access to certain functionality that would normally be only allowed to authenticated users.

However, an unauthenticated attacker can achieve arbitrary PHP code execution by chaining other TIM vulnerabilities discovered together with this vulnerability, in this sequence:

  1. Access to authenticated functionality by an unauthenticated user (this advisory)
  2. Write an arbitrary Proxy.php file to the local TEMP file directory 1
  3. Execute arbitrary code as ‘NT AUTHORITY/SYSTEM’ in Proxy.php by traversing to TEMP directory 1

Solution

It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available. Trend Micro’s official response to this vulnerability can be found as follows:

“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.

The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”

Technical Details

Refer to attached detailed advisory above.

Reference

Footnotes

  1. Advisory: TrendMicro Threat Intelligence Manager Arbitrary Code Execution 2