CVE-2017-11394
published 2017-08-03CVE-2017-11394: Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations…
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
66.77%
99.2th percentile
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_officescan | — | — |
| trendmicro | officescan | — | — |
| trendmicro | officescan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to proxy_controller.php under the OfficeScan widget path containing the 'module=modTMCSS' parameter, which is the injection trigger endpoint. ↗
- →Detect POST requests to talker.php with parameters act=check and a random hash value, indicating an authentication bypass attempt against the widget framework. ↗
- →Alert on HTTP responses containing the string 'Proxy execution failed: exec report.php failed', which confirms the command injection vulnerability is present and reachable. ↗
- →Alert on HTTP responses containing 'login successfully' from talker.php, indicating a successful authentication bypass via the widget framework. ↗
- →Monitor for the crafted cookie pattern 'LogonUser=root; userID=1' in requests to OfficeScan management interface paths, as this is the forged identity used in the exploit chain. ↗
- →The exploit chains an auth bypass (talker.php) with command injection (proxy_controller.php / Proxy.php T parameter). Correlate sequential POST requests to both endpoints from the same source IP. ↗
- ·The management interface defaults to TCP port 443 (SSL); ensure SSL inspection is enabled on network monitoring tools to detect this exploit traffic. ↗
- ·The CSRF token generation differs by version: OfficeScan XG uses MD5(timestamp), while OfficeScan 11 reuses the PHPSESSID value. Detection rules should account for both token formats. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)
exploitdb·2017-10-11
CVE-2017-11394 Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)
Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Trend Micro OfficeScan Remote Code Execution",
'Description' => %q{
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a
terminal command under the context of the web server user.
The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product
has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which
leads to an authentication bypa
Metasploit
Trend Micro OfficeScan Remote Code Execution
metasploit
Trend Micro OfficeScan Remote Code Execution
Trend Micro OfficeScan Remote Code Execution
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a terminal command under the context of the web server user. The specific flaw exists within the management interface, which listens on TCP port 443 by default. The Trend Micro Officescan product has a widget feature which is implemented with PHP. Talker.php takes ack and hash parameters but doesn't validate these values, which leads to an authentication bypass for the widget. Proxy.php files under the mod TMCSS folder take multiple parameters but the process does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities, unauthenticated users can
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100130http://www.zerodayinitiative.com/advisories/ZDI-17-521https://success.trendmicro.com/solution/1117769https://www.exploit-db.com/exploits/42971/http://www.securityfocus.com/bid/100130http://www.zerodayinitiative.com/advisories/ZDI-17-521https://success.trendmicro.com/solution/1117769https://www.exploit-db.com/exploits/42971/
2017-08-03
Published