cbcvebase.
CVE-2016-7552
published 2017-04-12

CVE-2016-7552: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to…

PriorityP185critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.25%
99.8th percentile
On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.

Affected

1 ranges
VendorProductVersion rangeFixed in
trendmicrothreat_discovery_appliance

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/logoff.cgi
cookiesession_id=../../../opt/TrendMicro/MinorityReport/etc/igsa.conf
path../../../opt/TrendMicro/MinorityReport/etc/igsa.conf
  • HTTP GET request to /cgi-bin/logoff.cgi with a session_id cookie containing directory traversal sequences (e.g., '../') targeting sensitive configuration files should be flagged as exploitation of CVE-2016-7552.
  • Response body containing the string 'Memory map' from a GET /cgi-bin/logoff.cgi request with a traversal session_id cookie indicates successful exploitation.
  • After exploitation, the admin password is reset to 'admin'; monitor for subsequent logins to admin_sys_time.cgi with default credentials followed by timezone parameter manipulation (CVE-2016-7547 chained attack).
  • Unauthenticated requests (no valid session) to /cgi-bin/logoff.cgi with a Cookie header containing path traversal in session_id should be alerted on regardless of HTTP response code.
  • ·Exploitation requires a subsequent server reboot to take effect — the file deletion resets the admin password only after the appliance is rebooted. The Metasploit module performs heartbeat requests waiting for the box to be bounced before attempting login.
  • ·This vulnerability is confirmed only on Trend Micro Threat Discovery Appliance version 2.6.1062r1; detections should be scoped to that specific product version.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.