Trend Micro Worry-Free Business Security Path Traversal Authentication Bypass (000245572)

include("compat.inc");
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(139667);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2020-8600");
  script_xref(name:"ZDI", value:"ZDI-20-307");

  script_name(english:"Trend Micro Worry-Free Business Security Path Traversal Authentication Bypass (000245572)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running an application that is affected by a path traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Trend Micro Worry-Free Business Security (WFBS) is affected by a
path traversal vulnerability in cgiRecvFile.exe due to improper
validation of a user-supplied path prior to using it in file
operations when handling the TempFileName parameter in an HTTP
request. An unauthenticated, remote attacker can exploit this, via a
specially crafted message, to manipulate a key file to bypass
authentication.

Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
  script_set_attribute(attribute:"see_also", value:"https://success.trendmicro.com/solution/000245572");
  script_set_attribute(attribute:"solution", value:
"Upgrade WFBS to version 10 SP1 build 2185 / 9.5 build 1525 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8600");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/03/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:trendmicro:worry-free_business_security");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("trendmicro_wfbs_detect.nbin");
  script_require_keys("installed_sw/Trend Micro WFBS Web Console");
  script_require_ports("Services/www", 4343);

  exit(0);
}

include('http.inc');
include('install_func.inc');
include('debug.inc');

app = 'Trend Micro WFBS Web Console';

# Exit if app is not detected on the target
get_install_count(app_name:app, exit_if_zero:TRUE);

# Exit if app is not detected on this http port.
port = get_http_port(default:4343);
install = get_single_install(app_name:app, port:port);

url = '/officescan/cgi/cgiRecvFile.exe?'
  # These 4 parameters must be present to in order to pass a basic
  # check in cgiRecvFile.exe!main()
  + 'TempFileName=foo'
  + '&NewFileSize=100'
  + '&ComputerName=localhost'
  + '&Verify=deadbeef';

res = http_send_recv3(
  method        : "GET",
  port          : port,
  item          : url,
  exit_on_fail  : TRUE
);

# The vulnerable cgiRecvFile.exe checks if the TempFileName parameter
# includes the WFBS temp directory
# (ie, C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\TEMP\).
# If not, it outputs "cgiRecvFile_FAILED\r\n".
#
# Since we use TempFileName=foo, we expect the vulnerable
# cgiRecvFile.exe would output "cgiRecvFile_FAILED\r\n".
if ('cgiRecvFile_FAILED' >< res[2])
{
  report = 'Nessus was able to detect the issue with the following request : ' +
    '\n\n' +  http_last_sent_request();

  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    extra       : report
  );
}
# The patched cgiRecvFile.exe checks the TempFileName parameter with
# the added function ValidAndNormalizeUploadedFile().
# 
# This function normalizes the file path in the TempFileName
# parameter before checking whether it contains the WFBS temp
# directory. It also performs additional checks on TempFileName.
#
# One side affect is that if ValidAndNormalizeUploadedFile() fails,
# cgiRecvFile.exe does not output "cgiRecvFile_FAILED\r\n". We can
# use this fact to detect a patched cgiRecvFile.exe.
#
# Note that the fix for this vulnerability was actually introduced in
# build 2185 for version 10 SP1. This is different than the fixed
# version (build 2190) in the Trend Micro advisory 000245572. The 
# advisory includes this vulnerability along with other
# vulnerabilities. It's possible that build 2190 is the first version
# that fixed all vulnerabilities in the advisory.
#
else if (' 200 ' >< res[0] && strlen(res[2]) == 0)
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:install['path'], port:port));
# Unexpected
else
{
  dbg::log(msg:res[0] + res[1], ddata:res[2]);
  audit(AUDIT_RESP_BAD, port);
}