Trend Micro Direct Pass - Filter Bypass & Persistent Cross Site Vulnerability

Editorial_Staff_Team's picture

Trend Micro Direct Pass - Critical Vulnerability in the secure Cloud Service

The youngest independent security researcher of the vulnerability laboratory infrastructure "Karim Rahal" (13) discovered a bypass issue and persistant cross site scripting vulnerability in the official Trend Micro Direct Pass online service cloud web-application. About two years ago we already disclosed another issue that was located in the direct-pass software and discovered by benjamin kunz mejri.

This persistent vulnerability allows an attacker to execute javascript inside the password hint box. This would allow an attacker to trick a victim to logging into an account and then when the victim inserts a wrong master-password, a malicious javascript payload executes. The vulnerability is located on the application-side and the request method to inject is POST. The validation of the input is wrong encoded and suffers from a persistent vulnerability.

The security risk of the filter bypass and persistent validation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the persistent input validation web vulnerability requires a low privileged direct-pass user account with restricted access and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules.

Proof of Concept (PoC):
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1.  Go to https://www.directpass.com and sign-in
2.  Go to https://www.directpass.com/showdb#settings/master
3.  Change your master password
4.  Then insert your master password
5.  Then insert the new master password and confirm master password
6.  For the Hint, right-click on the box and click inspect element and remove maxlength="20" from the code
7.  Then put ur XSS payload into the Hint box!
8.  Logout from your account
9.  Login to your account
10. Insert your master-password wrong and your  XSS payload executes!
Note: This vulnerability also effects the beta/duplicated version of the website: http://pwm-ibeta.trendmicro.com

Video Description:
In the video we demonstrate how to take advantage of the cross site script vulnerability by changing the masterpassword of the Trend Micro Direct Pass account. The  account "karimmtv@elitesec.com" was used to manipulate and verify the vulnerabilty. After the attacker first inserted his old password, he is able to set a new one. The maximum length input for the given form is 20 chars. By editing the source-code (on client site) or replay the request, the attacker is able to bypass the given length limit. Anything above 20 chars will be saved too. At the end the attacker successfully inserted malicious code (javascript code in this case) in the Masterpassword field. The code will be executed when the form is loaded (login).

Security Video: Trend Micro Direct Pass - Filter Bypass & Persistent Validation Vulnerability (Zero Day)

Advisory: https://www.vulnerability-lab.com/get_content.php?id=1661

Reference(s):

http://esupport.trendmicro.com/en-us/business/pages/vulnerability-response.aspx#acknowledgement

Rate this article: 
Average: 5 (3 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.