Trend Micro Control Manager SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.
The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.

Version Affected

Trend Micro Control Manager 5.5 prior to 5.5.0.1823 (English and Japanese version)
Trend Micro Control Manager 6 prior to 6.0.0.1449 (English version)

Impact

An attacker with access to the Trend Micro Control Manager web interface can conduct a SQL injection attack, which could be used to result in information leakage, arbitrary code execution and/or denial of service.

Solution

The vendor has stated that these vulnerabilities have been addressed in Trend Micro Control Manager version 5.5 and 6.0 critical patches.
Critical patch available for SQL injection attacks in Control Manager (TMCM)
http://esupport.trendmicro.com/solution/en-us/1061043.aspx
Control Manager 6 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4202 – fragment-4248
Control Manager 5.5 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=1763 – fragment-1845
Trend Micro Control Manager 5.5 – Patch (Japanese only)
http://downloadcenter.trendmicro.com/index.php?regs=jp&clk=tbl&clkval=3432 – fragment-3462

Proof of Concept

https://github.com/modpr0be/exploit-dev/blob/master/exploit-repo/controlmanager-trendmicro/poc.py

References

JVN#42014489 – http://jvn.jp/en/jp/JVN42014489/index.html
VU#950795 – http://www.kb.cert.org/vuls/id/950795

 

Tags
modpr0be
modpr0be

Posisi saya saat ini sebagai direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation.

Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE).

Jika ingin menghubungi saya dapat melalui email bisnis di tom at spentera dot id atau pribadi di me at modpr0 dot be

Articles: 64

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.