ID

VAR-190001-0537


TITLE

Trend Micro Control Manager 'Cas_LogDirectInsert.aspx' Arbitrary account creation vulnerability

Trust: 1.1

sources: IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-2625 // BID: 48638

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The specific flaw exists within the Cas_LogDirectInsert.aspx http handler, which listens by default on TCP port 443. A specially crafted POST request allows remote attackers to supply XML and schema information which is used within queries to the backend database. By supplying malicious values, an attacker can inject themselves a user account which can be used to execute code via the management console on the service. By default, the Cas_LogDirectInsert.aspx http processor on the TCP 443 port is flawed. -- Vendor Response: Trend Micro states: http://esupport.trendmicro.com/solution/en-us/1058280.aspx Fix is posted at download center: tmcm-55-win-en-criticalpatch1422.exe http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1763&lang_loc=1 This critical patch resolves the following issue(s): Issue: A vulnerability allows an attacker to create and insert a user account which can be used to execute codes through the management console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This critical patch imposes stricter rules for the insertion of system account relative tables to prevent attackers from inserting user accounts. Reference: http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1422.txt -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-07-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way. Read more and request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Trend Micro Control Manager "Cas_LogDirectInsert.aspx" XML Processing Vulnerability SECUNIA ADVISORY ID: SA45176 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45176/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45176 RELEASE DATE: 2011-07-13 DISCUSS ADVISORY: http://secunia.com/advisories/45176/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45176/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45176 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Trend Micro Control Manager, which can be exploited by malicious people to manipulate certain data. The vulnerability is caused due to an error in Cas_LogDirectInsert.aspx when processing certain XML and schema information. The vulnerability is reported in versions 5.0 and 5.5. SOLUTION: Apply Critical Patch 1422. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Andrea Micalizzi (rgod) via ZDI. ORIGINAL ADVISORY: Trend Micro: http://esupport.trendmicro.com/solution/en-us/1058280.aspx ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-234/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.8

sources: ZDI: ZDI-11-234 // CNVD: CNVD-2011-2625 // BID: 48638 // IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // PACKETSTORM: 102964 // PACKETSTORM: 102995

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-2625

AFFECTED PRODUCTS

vendor:trend micromodel:control managerscope:eqversion:5.5

Trust: 1.1

vendor:trend micromodel:control managerscope:eqversion:5.0

Trust: 0.9

vendor:trend micromodel:control managerscope: - version: -

Trust: 0.7

vendor:trend micromodel:control managerscope:eqversion:5.0*

Trust: 0.2

sources: IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // ZDI: ZDI-11-234 // CNVD: CNVD-2011-2625 // BID: 48638

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: ZDI-11-234
value: HIGH

Trust: 0.7

IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

ZDI: ZDI-11-234
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

sources: IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // ZDI: ZDI-11-234

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 102964 // CNNVD: CNNVD-201107-130

TYPE

design error

Trust: 0.6

sources: CNNVD: CNNVD-201107-130

PATCH

title: is posted at download center:tmcm-55-win-en-criticalpatch1422.exehttp://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1763&lang_loc=1This critical patch resolves the following issue(s):Issue: A vulnerability allows an attacker to create and inserta user account which can be used to execute codes throughthe management console.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution: This critical patch imposes stricter rules for the insertionof system account relative tables to prevent attackers frominserting user accounts.Reference: http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_TMCM55_1422.txturl:http://esupport.trendmicro.com/solution/en-us/1058280.aspxfix

Trust: 0.7

title:Trend Micro Control Manager 'Cas_LogDirectInsert.aspx' patch for any account creation vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/4369

Trust: 0.6

sources: ZDI: ZDI-11-234 // CNVD: CNVD-2011-2625

EXTERNAL IDS

db:ZDIid:ZDI-11-234

Trust: 1.8

db:BIDid:48638

Trust: 1.5

db:CNVDid:CNVD-2011-2625

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-1125

Trust: 0.7

db:CNNVDid:CNNVD-201107-130

Trust: 0.6

db:IVDid:10307C6A-1F90-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:SECUNIAid:45176

Trust: 0.2

db:PACKETSTORMid:102964

Trust: 0.1

db:PACKETSTORMid:102995

Trust: 0.1

sources: IVD: 10307c6a-1f90-11e6-abef-000c29c66e3d // ZDI: ZDI-11-234 // CNVD: CNVD-2011-2625 // BID: 48638 // PACKETSTORM: 102964 // PACKETSTORM: 102995 // CNNVD: CNNVD-201107-130

REFERENCES

url:http://www.zerodayinitiative.com/advisories/zdi-11-234/

Trust: 1.0

url:http://www.trendmicro.com/ftp/documentation/readme/readme_critical_patch_tmcm55_1422.txt

Trust: 0.8

url:http://esupport.trendmicro.com/solution/en-us/1058280.aspxfix

Trust: 0.7

url:http://downloadcenter.trendmicro.com/index.php?regs=nabu&clk=latest&clkval=1763&lang_loc=1this

Trust: 0.7

url:http://www.securityfocus.com/bid/48638

Trust: 0.6

url:http://esupport.trendmicro.com/solution/en-us/1058280.aspx

Trust: 0.5

url:http://us.trendmicro.com/us/products/enterprise/control-manager/

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 0.1

url:http://secunia.com/

Trust: 0.1

url:http://twitter.com/thezdi

Trust: 0.1

url:http://downloadcenter.trendmicro.com/index.php?regs=nabu&clk=latest&clkval=1763&lang_loc=1

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-11-234

Trust: 0.1

url:http://www.zerodayinitiative.com

Trust: 0.1

url:http://lists.grok.org.uk/full-disclosure-charter.html

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=45176

Trust: 0.1

url:http://secunia.com/advisories/45176/#comments

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/45176/

Trust: 0.1

url:http://secunia.com/products/corporate/vim/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: ZDI: ZDI-11-234 // CNVD: CNVD-2011-2625 // BID: 48638 // PACKETSTORM: 102964 // PACKETSTORM: 102995 // CNNVD: CNNVD-201107-130

CREDITS

Andrea Micalizzi aka rgod

Trust: 1.6

sources: ZDI: ZDI-11-234 // BID: 48638 // CNNVD: CNNVD-201107-130

SOURCES

db:IVDid:10307c6a-1f90-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-11-234
db:CNVDid:CNVD-2011-2625
db:BIDid:48638
db:PACKETSTORMid:102964
db:PACKETSTORMid:102995
db:CNNVDid:CNNVD-201107-130

LAST UPDATE DATE

2022-05-17T22:33:09.231000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-11-234date:2011-07-11T00:00:00
db:CNVDid:CNVD-2011-2625date:2011-07-12T00:00:00
db:BIDid:48638date:2011-07-11T00:00:00
db:CNNVDid:CNNVD-201107-130date:2011-07-13T00:00:00

SOURCES RELEASE DATE

db:IVDid:10307c6a-1f90-11e6-abef-000c29c66e3ddate:2011-07-12T00:00:00
db:ZDIid:ZDI-11-234date:2011-07-11T00:00:00
db:CNVDid:CNVD-2011-2625date:2011-07-12T00:00:00
db:BIDid:48638date:2011-07-11T00:00:00
db:PACKETSTORMid:102964date:2011-07-11T19:30:04
db:PACKETSTORMid:102995date:2011-07-12T03:50:49
db:CNNVDid:CNNVD-201107-130date:1900-01-01T00:00:00