#!/usr/local/bin/python """ Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/ File: TDA_InstallationCD.2.6.1062r1.en_US.iso sha1: 8da4604c92a944ba8f7744641bce932df008f9f9 Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1 Summary: ======== There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. This can result in an attacker causing a DoS or bypassing authentication. Exploitation: ============= An attacker can use this vulnerability to bypass the authentication by reseting the default password back to 'admin'. 1. Delete the config file /opt/TrendMicro/MinorityReport/etc/igsa.conf 2. Wait for the server to be rebooted... It is highly likely the server will be rebooted because the deletion of the config file causes a DoS condition whereby no-body can even login... (since the md5 hashed pw is stored in the config file). Notes: ====== - (Un)fortunately, we were not able to find a pre-authenticated way to reboot the server, hence requiring slight user interaction (or patience) - No username required! Example: ======== saturn:trend_micro_threat_discovery_logoff_auth_bypass mr_me$ ./poc.py (+) usage: ./poc.py