cbcvebase.
CVE-2017-11398
published 2018-01-19

CVE-2017-11398: A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.20%
94.2th percentile
A session hijacking via log disclosure vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an unauthenticated attacker to hijack active user sessions to perform authenticated requests on a vulnerable system.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_smart_protection_server
trendmicrosmart_protection_server<= 3.2

Detection & IOCsextracted from sources · hover to see the quote

path/widget/repository/log/diagnostic.log
path/var/spool/cron/webserv
path/var/www/AdminUI/php/admin_update_program.php
path/var/www/AdminUI/php/inc/crontab.php
path/var/tmcss/pattern/
urlhttp://<host>/tmcss/?OldBF=1712200300&NewBF=1812200300
urlhttps://<host>:<port>/widget/repository/log/diagnostic.log
urlhttps://<host>:<port>/php/admin_update_program.php?sid=<session_id>
commandhidTimingMin=* * * * * <command> #
filenameincdiff_1712200300.1812200300
  • Unauthenticated HTTP GET to /widget/repository/log/diagnostic.log leaks active session IDs in log entries; monitor for unauthenticated access to this path.
  • Session ID is reused as both cookie name and value in POST requests to admin_update_program.php; detect requests where a cookie name matches a session token pattern and the POST body contains hidTimingMin with cron-injection syntax (e.g., '* * * * *').
  • Cron injection payload uses the pattern '* * * * * <command> #' in the hidTimingMin POST parameter; alert on POST requests to admin_update_program.php containing wildcard cron expressions in that field.
  • Disk-filling DoS attack creates large (~17 MB) files named incdiff_<OldBF>.<NewBF> under /var/tmcss/patterns/<NewBF>/; monitor for rapid creation of incdiff_* files in that directory.
  • Monitor for unauthenticated HTTP GET requests to /tmcss/ with OldBF and NewBF query parameters, which trigger creation of large incdiff files and can fill disk.
  • Log entries in diagnostic.log contain session IDs in the 4th comma-delimited field after timestamp and log level; parse this file for session token extraction patterns used by attackers.
  • ·The session hijacking requires that a legitimate user has recently logged in or browsed, so that a valid session ID is present in the diagnostic log at the time of exploitation.
  • ·The cron injection RCE executes in the context of the 'webserv' user, not root; privilege escalation via separate unpatched vulnerabilities would be required for full system compromise.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.