CVE-2016-7552
published 2017-04-12CVE-2016-7552: On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to…
PriorityP185critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.25%
99.8th percentile
On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendmicro | threat_discovery_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /cgi-bin/logoff.cgi with a session_id cookie containing directory traversal sequences (e.g., '../') targeting sensitive configuration files should be flagged as exploitation of CVE-2016-7552. ↗
- →Response body containing the string 'Memory map' from a GET /cgi-bin/logoff.cgi request with a traversal session_id cookie indicates successful exploitation. ↗
- →After exploitation, the admin password is reset to 'admin'; monitor for subsequent logins to admin_sys_time.cgi with default credentials followed by timezone parameter manipulation (CVE-2016-7547 chained attack). ↗
- →Unauthenticated requests (no valid session) to /cgi-bin/logoff.cgi with a Cookie header containing path traversal in session_id should be alerted on regardless of HTTP response code. ↗
- ·Exploitation requires a subsequent server reboot to take effect — the file deletion resets the admin password only after the appliance is rebooted. The Metasploit module performs heartbeat requests waiting for the box to be bounced before attempting login. ↗
- ·This vulnerability is confirmed only on Trend Micro Threat Discovery Appliance version 2.6.1062r1; detections should be scoped to that specific product version. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Metasploit
Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
metasploit·CVSS 9.8
CVE-2016-7552 [CRITICAL] Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution
This module exploits two vulnerabilities the Trend Micro Threat Discovery Appliance. The first is an authentication bypass vulnerability via a file delete in logoff.cgi which resets the admin password back to 'admin' upon a reboot (CVE-2016-7552). The second is a cmdi flaw using the timezone parameter in the admin_sys_time.cgi interface (CVE-2016-7547). Note: You have the option to use the authentication bypass or not since it requires that the server is rebooted. The password reset will render the authentication useless. Typically, if an administrator cant login, they will bounce the box. Therefore, this module performs a heartbeat request until the box is bounced and then attempts to login and to perform
Nuclei
Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2016-7552 [CRITICAL] Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass
Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass
Trend Micro Threat Discovery Appliance 2.6.1062r1 is vulnerable to a directory traversal vulnerability when processing a session_id cookie, which allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a DoS.
Template:
id: CVE-2016-7552
info:
name: Trend Micro Threat Discovery Appliance 2.6.1062r1 - Authentication Bypass
author: dwisiswant0
severity: critical
description: Trend Micro Threat Discovery Appliance 2.6.1062r1 is vulnerable to a directory traversal vulnerability when processing a session_id cookie, which allows a remote, unauthenticated attacker to delete arbitrary files as root. This can be used to bypass authentication or cause a
No writeups or analysis indexed.
2017-04-12
Published