Trend Micro Threat Intelligence Manager Arbitrary Code Execution

    Type

  • Arbitrary Code Execution

    • Severity

  • High

    • Affected products

  • Trend Micro Threat Intelligence Manager (TIM)

    • CVE Reference

  • N/A
Timeline
24/7/2015Vulnerability documented
30/7/2015Trend Micro contacted via security@trendmicro.com
31/7/20155 advisories sent to Trend Micro with provided PGP key
10/9/2015MWR disclosure timeline requested due to internal discussions at Trend Micro RE: remediation
20/10/2015MWR request update from Trend Micro
12/11/2015Trend Micro issue statement and request coordinated disclosure on 17th November 2015
15/01/2016MWR publish advisories

A vulnerability was found in the Trend Micro Threat Intelligence Manager (TIM) which allows an authenticated user to write an arbitrary PHPfile to the TEMP directory and then execute said file traversing and including this file.

By chaining together other TIM vulnerabilities discovered with this, an unauthenticated attacker can achieve arbitrary PHP code execution.

Description

The Threat Intelligence Manager (TIM) interface exposes a file called `write_image.php` which requires authentication to access and takes two parameters:

  • filename
  • bdata

The filename parameter is used to specify the filename that is to be written, and the parameter bdata takes a base64 encoded string which is then decoded and written as the contents to the previously specified filename. This file is written to the Windows TEMP folder (on Windows 7, this is C:\Windows\TEMP) and it is not possible to traverse out of this directory, due to the use of `pathinfo()[‘basename’]` to obtain the filename as user input is not trusted.

Using this vulnerability, it is possible to write an arbitrary file called Proxy.php into C:\Windows\TEMP.

In addition, the TIM interface also exposes a file called widget_framework2/proxy_controller.php which allows for the inclusion and execution of a local PHP file to an authenticated user via system().

Impact

Together with 1, the vulnerabilities described in this advisory would allow an attacker to achieve arbitrary PHP code execution by chaining them in this sequence:

  1. Access to authenticated functionality by an unauthenticated user 1
  2. Write an arbitrary `Proxy.php` file to the local TEMP file directory (this advisory)
  3. Execute arbitrary code as ‘NT AUTHORITY/SYSTEM’ in `Proxy.php` by traversing to TEMP directory (this advisory)

Solution

It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available.

Trend Micro’s official response to this vulnerability can be found as follows:

“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.

The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”

Technical Details

Refer to attached detailed advisory above.

Reference

1 Advisory: Trend Micro Threat Intelligence Manager Partial Authentication Bypass