Synopsis
There are multiple vulnerabilities in Trend Micro Mobile Security for Enterprise 9.8 SP5 Critical Patch 3.
CVE-2023-32521 - Unauthenticated Path Traversal File Deletion
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
A path traversal exists in web_service.dll which can allow an unauthenticated remote attacker to delete arbitrary files. web_service.dll checks if the file is a temp file before deletion. However, the check can be bypassed with path traversal (i.e., C:\Program Files (x86)\Trend Micro\Mobile Security\cgi\TEMP\aaa\..\..\..\..\..\..\..\..\..\
POC
tmms.py on github.
Usage:
python3 tmms.py -t-d '{"tmms_action":"upload_eula", "data":{"file_name":"C:\\Program Files (x86)\\Trend Micro\\Mobile Security\\cgi\\TEMP\\aaa\\..\\..\\..\\..\\..\\..\\..\\..\\..\\tmp\\delete_me.txt"}}' --noauth
CVE-2023-32522 - Authenticated Path Traversal File Deletion
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
A path traversal exists in universal_mdm.dll which can allow an authenticated remote attacker to delete arbitrary files. The flaw results from improper validation of a user-supplied file name passed to Windows API DeleteFile(). The attacker can delete arbitrary files by using path traversal or full file paths. The deletion is performed under the security context of the account (default: SYSTEM) configured to run the Mobile Security Management Module Service (ManagementServer.exe).
POC
tmms.py on github.
Usage:
python3 tmms.py -t
Information Disclosure
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
An unauthenticated remote attacker can download the web_service.log, which can contain sensitive information. For example, if DEBUG level (non-default) is configured for web_service.dll, the login credentials to the Administration Web Console can be revealed.
POC
curl -ks 'https:///mdm/cgi/log/web_service.log' | grep login 2022-12-12 10:41:46 WebService DEBUG [0x000019fc][source\IIS_wrapper.cpp(389)]- tmms_web_service::IISWrapper::DecodeJSONTypeBody : m_body_json_ is:{"tmms_action":"login","data":{"username":"root","password":"mobilesecurity","time":1670600505}}
Solution
See vendor advisory for patch information.
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team