CVE-2016-7547
published 2017-04-12CVE-2016-7547: A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
92.72%
99.8th percentile
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | threat_discovery_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to admin_sys_time.cgi containing shell metacharacters (e.g., ;, |, $(), backticks) in the 'timezone' POST/GET parameter, which is the injection point for CVE-2016-7547. ↗
- →Detect DELETE or GET requests to logoff.cgi as a precursor authentication-bypass step (CVE-2016-7552) that resets the admin password to 'admin', often chained before exploitation of CVE-2016-7547. ↗
- →Alert on repeated heartbeat/polling HTTP requests to the appliance followed by a login attempt with default credentials ('admin'/'admin') and subsequent POST to admin_sys_time.cgi — this matches the Metasploit module's exploitation sequence. ↗
- ·The authentication bypass (CVE-2016-7552) requires a device reboot to take effect; exploitation of CVE-2016-7547 alone is possible if valid credentials are already known, meaning the auth-bypass chain is optional. ↗
- ·The Metasploit module and CVE are confirmed only against Trend Micro Threat Discovery Appliance version 2.6.1062r1; detection rules should be scoped to that specific appliance version. ↗
- ·The password reset via logoff.cgi file-delete may cause legitimate admin lockout, which could be mistaken for a benign misconfiguration rather than an active attack precursor. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mc6f-m3hx-rw27: A command execution flaw on the Trend Micro Threat Discovery Appliance 2
ghsa_unreviewed·2022-05-17
CVE-2016-7547 [CRITICAL] GHSA-mc6f-m3hx-rw27: A command execution flaw on the Trend Micro Threat Discovery Appliance 2
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.
Cisco
Vulnerability in GNU glibc Affecting Cisco Products: February 2016
vendor_cisco·2016-02-19
CVE-2015-7547 [HIGH] CWE-119 Vulnerability in GNU glibc Affecting Cisco Products: February 2016
Vulnerability in GNU glibc Affecting Cisco Products: February 2016
On February 16, 2016, an industry-wide, critical vulnerability in the GNU C library (glibc) was publicly disclosed.
Multiple Cisco products incorporate a version of glibc that may be affected by the vulnerability. The vulnerability could allow an unauthenticated, remote attacker to trigger a buffer overflow condition that may result in a denial of service (DoS) condition or allow the attacker to execute arbitrary code on an affected device.
Cisco will release software updates that address this vulnerability.
Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc
Cisco
Vulnerability in GNU glibc Affecting Cisco Products: February 2016
vendor_cisco
CVE-2015-7547 Vulnerability in GNU glibc Affecting Cisco Products: February 2016
CVE-2015-7547: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
On February 16, 2016, an industry-wide, critical vulnerability in the GNU C library ( glibc ) was publicly disclosed. Multiple Cisco products incorporate a version of glibc that may be affected by the vulnerability. The vulnerability could allow an unauthenticated, remote attacker to trigger a buffer overflow condition that may result in a denial of service (DoS) condition or allow the attacker to execute arbitrary code on an affected device. Cisco will release software updates that address this vulnerability.
CWE: CWE-119, CWE-119
Bug IDs: CSCuy32284, CSCuy34700, CSCuy34875, CSCuy32284, CSCuy34700
Suricata
ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup
ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup
Rule: alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)
ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:2; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2024_03_14;)
Suricata
ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA
ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA
Rule: alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible 2015-7547 PoC Server Response
suricata·2016-02-18
CVE-2015-7547 ET EXPLOIT Possible 2015-7547 PoC Server Response
ET EXPLOIT Possible 2015-7547 PoC Server Response
Rule: alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query
Rule: alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,to_client; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:2; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
Suricata
ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup
suricata·2016-02-18·CVSS 8.1
CVE-2015-7547 [HIGH] ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup
ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup
Rule: alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
ET EXPLOIT Possible 2015-7547 Malformed Server response
suricata·2016-02-17
CVE-2015-7547 ET EXPLOIT Possible 2015-7547 Malformed Server response
ET EXPLOIT Possible 2015-7547 Malformed Server response
Rule: alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
glibc - 'getaddrinfo' Remote Stack Buffer Overflow
exploitdb·2016-09-06·CVSS 8.1
CVE-2015-7547 [HIGH] glibc - 'getaddrinfo' Remote Stack Buffer Overflow
glibc - 'getaddrinfo' Remote Stack Buffer Overflow
---
/*
add by SpeeDr00t@Blackfalcon (jang kyoung chip)
This is a published vulnerability by google in the past.
Please refer to the link below.
Reference:
- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://github.com/fjserna/CVE-2015-7547
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
When Google announced about this code(vulnerability),
it was missing information on shellcode.
So, I tried to completed the shellcode.
In the future, I hope to help your study.
(gdb) r
Starting program: /home/haker/client1
Got object file from memory but can't read symbols: File truncated.
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with
Exploit-DB
glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
exploitdb·2016-02-16·CVSS 8.1
CVE-2015-7547 [HIGH] glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
---
Sources:
https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://github.com/fjserna/CVE-2015-7547
Technical information:
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger tha
Metasploit
Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
metasploit·CVSS 9.8
CVE-2016-7552 [CRITICAL] Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547). Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heartbeat request until the box is bounced and then attempts to login and to perform
No writeups or analysis indexed.
2017-04-12
Published