Trend Micro Threat Intelligence Manager Partial Authentication Bypass

    Type

  • Partial Authentication Bypass

    • Severity

  • High

    • Affected products

  • Trend Micro Threat Intelligence Manager (TIM)

    • CVE Reference

  • N/A
Timeline

24/7/2015

Vulnerability documented

30/7/2015

Trend Micro contacted via security@trendmicro.com

31/7/2015

5 advisories sent to Trend Micro with provided PGP key

10/9/2015

MWR disclosure timeline requested due to internal discussions at Trend Micro RE: remediation

20/10/2015

MWR request update from Trend Micro

12/11/2015

Trend Micro issue statement and request coordinated disclosure on 17th November 2015

15/01/2016

MWR publish advisories

A vulnerability was found in the Trend Micro Threat Intelligence Manager (TIM) which allows authentication to be partially bypassed, and allowed access to functionalities restricted only allowed to authenticated users. MWR has discovered two methods to achieve this.

By chaining together other TIM vulnerabilities discovered with this, an unauthenticated attacker can achieve arbitrary PHP code execution.

Description

The Trend Micro Threat Intelligence Manager (TIM) is made up of two web interfaces. One that listens externally on port 80 (PHP), and one that, while listens externally, only allows requests from localhost on port 8080 (JSP). The user would authenticate only to the PHP interface, and the application would then internally forward the authentication request to the JSP interface and assign valid session IDs for both interfaces. Only the PHP interface session ID is exposed to the user in the form of PHPSESSID cookie, whereas the JSP interface session ID is added as a value to your PHP session ID with the key ‘session_key’.

Through the abuse of inbuilt functionality, it was possible to generate a session that appears to be a valid authenticated session for the PHPinterface only, without any information with regards to credentials.

Impact

This allows authentication to be partially bypassed, allowing access to certain functionality that would normally be only allowed to authenticated users.

However, an unauthenticated attacker can achieve arbitrary PHP code execution by chaining other TIM vulnerabilities discovered together with this vulnerability, in this sequence:

  1. Access to authenticated functionality by an unauthenticated user (this advisory)
  2. Write an arbitrary `Proxy.php` file to the local TEMP file directory 1
  3. Execute arbitrary code as ‘NT AUTHORITY/SYSTEM’ in `Proxy.php` by traversing to TEMP directory 1

Solution

It is recommended that access to the management interface of Trend Micro’s Threat Intelligence Manager is heavily restricted as no patch is/will be available.
Trend Micro’s official response to this vulnerability can be found as follows:

“Thank you for your patience and continuously working with the Trend Micro Vulnerability Response team.

The Trend Micro Threat Intelligence Manager (TIM) has reached its end-of-life, and unfortunately addressing the vulnerabilities you submitted would require substantial efforts to re-architect or build an entirely new product. We strongly recommend ourTIM customers to contact sales for further options on a suitable replacement if this is a concern for them.”

Technical Details

Refer to attached detailed advisory above.

Reference

1 Advisory: TrendMicro Threat Intelligence Manager Arbitrary Code Execution