Trend Micro Control Manager SQL Injection

October 5, 2012

Trend Micro Control Manager is a centralized security outbreak management console. It is meant to consolidate the coordination of actions and the management of Trend Micro products and services. It is a central command center for the management of viral infections and security vulnerabilities.

The Control Manager allows the administrator to access and manipulate it through a web interface. The web interface is composed of various Java applets, ASP pages, static HTML pages, as well as several ISAPI dynamically linked libraries. Active Server Pages (ASP) is Microsoft's primary server side scripting language for generating dynamic content. The parameters passed to ASP scripts are passed via the name-value pairs in the HTTP request URI. Parameters are found following the '?' character in the URI and each pair is separated by an ampersand "&" character. An example of parameters being passed in a URI follows:

The Control Manager includes an SQL database which stores managed product configurations and logs. It also includes an HTTP server that hosts the Control Manger web console. Username credentials for the web console are also stored in the SQL database. The server contains various ASP pages that interface with the SQL database server by building and executing SQL queries on it.

An SQL injection vulnerability exists in Trend Micro Control Manager. The vulnerability exists due to a failure to properly verify input data when handling parameters to a particular ASP page. One parameter expected to be passed to the affected script is directly used to build an SQL query. If the parameter value contains a single quote "'" character, the literal value in the generated SQL query will be terminated, and anything that follows will be interpreted as a separate SQL query. In turn, all resulting queries will be executed by the Control Manager server. This allows for complete SQL queries to be injected and consequently executed by the backend SQL server.

An attacker can exploit this vulnerability by sending a request to the affected ASP page with carefully crafted parameters, resulting in injection of SQL queries. Successful exploitation could result in arbitrary execution of SQL queries with DB Administrator privileges. Note that a user must first authenticate successfully in order to exploit this flaw.

Dell SonicWall has released two IPS signatures that address this flaw. The following signatures were released:

  • 8803 - CONVERT NVARCHAR Statement 1 (Possible SQL Injection)
  • 8804 - CONVERT NVARCHAR Statement 2 (Possible SQL Injection)

The vulnerability has been assigned CVE-2012-2998 by mitre.
The vendor has released an advisory regarding this issue.