Trend Micro Safe Sync for Enterprise is affected by a remote command execution vulnerability. This vulnerability can be exploited by authenticated user on the web administration panel of Safe Sync for Enterprise to gain remote command execution with root privileges.
From Trend Micro documentation:
Trend Micro(TM) SafeSync for Enterprise(TM) allows enterprises to securely synchronize, share, and manage corporate data. Deployed on premise and in a private cloud, SafeSync provides file encryption and document tagging to prevent unauthorized access to sensitive data. SafeSync also supports file version control and redundant file backup.
I recommend anyone running SafeSync for Enterprise to apply the critical patch released by Trend Micro, available at the following location:
- Safesync Enhancement Pack 1 (SSFE 3.2) - http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=4887&lang_loc=1
Trend Micro Advisory is available on their business support website
- Trend Micro Safe Sync for Enterprise up to version 3.2
Authenticated RCE - Technical Description
The following Perl script do not sanitize user inputs prior to using them as parameters of system commands:
An authenticated user can abuse this by injecting his own commands using different kind of operators such as &&, ; , >, <.
Let’s look at the vulnerable component:
/opt/SingleInstaller/MgmtUI/lib/MgmtUI/Controller/api/admin/ad.pm [lines 747-772]
In the excerpt below, we can see that
$server_id is directly initialiazed from unsanitized json data values and fed
to ad_changed_sync.py command as
From a client point of view, this would happen like this:
Take a look at the Metasploit module I wrote. It works to get a reverse shell as root but in a weird way, using interactive
sh and FIFO files. This is because the injection happen within a
sh -c 'command' call, meaning it will raise a “file descriptor not found” if you try the usual reverse shell in bash.
On the plus side, you can always use python if you can’t live without tty.
I doubt I’ll try to merge the module upstream until I get it to work in a generic way (support for meterpreter stager).
Once again, Trend Micro vulnerability team was great in handling this coordinated disclosure.
Part III will discuss yet another Trend Micro product where I managed to be greeted with
#. If everything goes as expected, advisory should be released by September 30th.
- 2016-07-20: Advisory sent to Trend Micro
- 2016-07-22: Trend Micro acknowledge the issue
- 2016-08-11: Trend Micro released patch
- 2016-09-06: Advisory publication