cbcvebase.
CVE-2017-11394
published 2017-08-03

CVE-2017-11394: Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations…

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
66.77%
99.2th percentile
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_officescan
trendmicroofficescan
trendmicroofficescan

Detection & IOCsextracted from sources · hover to see the quote

port443
path/officescan/console/html/widget/ui/modLogin/talker.php
path/officescan/console/html/widget/proxy_controller.php
path/officescan/console/html/widget/index.php
cookieLANG=en_US; LogonUser=root; userID=1; wf_CSRF_token=<csrf_token>
commandTOP=2>&1||<payload>
  • Detect POST requests to proxy_controller.php under the OfficeScan widget path containing the 'module=modTMCSS' parameter, which is the injection trigger endpoint.
  • Detect POST requests to talker.php with parameters act=check and a random hash value, indicating an authentication bypass attempt against the widget framework.
  • Alert on HTTP responses containing the string 'Proxy execution failed: exec report.php failed', which confirms the command injection vulnerability is present and reachable.
  • Alert on HTTP responses containing 'login successfully' from talker.php, indicating a successful authentication bypass via the widget framework.
  • Monitor for the crafted cookie pattern 'LogonUser=root; userID=1' in requests to OfficeScan management interface paths, as this is the forged identity used in the exploit chain.
  • The exploit chains an auth bypass (talker.php) with command injection (proxy_controller.php / Proxy.php T parameter). Correlate sequential POST requests to both endpoints from the same source IP.
  • ·The management interface defaults to TCP port 443 (SSL); ensure SSL inspection is enabled on network monitoring tools to detect this exploit traffic.
  • ·The CSRF token generation differs by version: OfficeScan XG uses MD5(timestamp), while OfficeScan 11 reuses the PHPSESSID value. Detection rules should account for both token formats.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.