7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.4%
The Trend Micro Worry-Free Business Security (WFBS) is affected by a path traversal vulnerability in cgiRecvFile.exe due to improper validation of a user-supplied path prior to using it in file operations when handling the TempFileName parameter in an HTTP request. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to manipulate a key file to bypass authentication.
Note that the application is reportedly affected by other vulnerabilities; however, this plugin has not tested for those issues.
include("compat.inc");
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(139667);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2020-8600");
script_xref(name:"ZDI", value:"ZDI-20-307");
script_name(english:"Trend Micro Worry-Free Business Security Path Traversal Authentication Bypass (000245572)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is running an application that is affected by a path traversal vulnerability.");
script_set_attribute(attribute:"description", value:
"The Trend Micro Worry-Free Business Security (WFBS) is affected by a
path traversal vulnerability in cgiRecvFile.exe due to improper
validation of a user-supplied path prior to using it in file
operations when handling the TempFileName parameter in an HTTP
request. An unauthenticated, remote attacker can exploit this, via a
specially crafted message, to manipulate a key file to bypass
authentication.
Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
script_set_attribute(attribute:"see_also", value:"https://success.trendmicro.com/solution/000245572");
script_set_attribute(attribute:"solution", value:
"Upgrade WFBS to version 10 SP1 build 2185 / 9.5 build 1525 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8600");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/16");
script_set_attribute(attribute:"patch_publication_date", value:"2020/03/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/08/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:trendmicro:worry-free_business_security");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("trendmicro_wfbs_detect.nbin");
script_require_keys("installed_sw/Trend Micro WFBS Web Console");
script_require_ports("Services/www", 4343);
exit(0);
}
include('http.inc');
include('install_func.inc');
include('debug.inc');
app = 'Trend Micro WFBS Web Console';
# Exit if app is not detected on the target
get_install_count(app_name:app, exit_if_zero:TRUE);
# Exit if app is not detected on this http port.
port = get_http_port(default:4343);
install = get_single_install(app_name:app, port:port);
url = '/officescan/cgi/cgiRecvFile.exe?'
# These 4 parameters must be present to in order to pass a basic
# check in cgiRecvFile.exe!main()
+ 'TempFileName=foo'
+ '&NewFileSize=100'
+ '&ComputerName=localhost'
+ '&Verify=deadbeef';
res = http_send_recv3(
method : "GET",
port : port,
item : url,
exit_on_fail : TRUE
);
# The vulnerable cgiRecvFile.exe checks if the TempFileName parameter
# includes the WFBS temp directory
# (ie, C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\TEMP\).
# If not, it outputs "cgiRecvFile_FAILED\r\n".
#
# Since we use TempFileName=foo, we expect the vulnerable
# cgiRecvFile.exe would output "cgiRecvFile_FAILED\r\n".
if ('cgiRecvFile_FAILED' >< res[2])
{
report = 'Nessus was able to detect the issue with the following request : ' +
'\n\n' + http_last_sent_request();
security_report_v4(
port : port,
severity : SECURITY_HOLE,
extra : report
);
}
# The patched cgiRecvFile.exe checks the TempFileName parameter with
# the added function ValidAndNormalizeUploadedFile().
#
# This function normalizes the file path in the TempFileName
# parameter before checking whether it contains the WFBS temp
# directory. It also performs additional checks on TempFileName.
#
# One side affect is that if ValidAndNormalizeUploadedFile() fails,
# cgiRecvFile.exe does not output "cgiRecvFile_FAILED\r\n". We can
# use this fact to detect a patched cgiRecvFile.exe.
#
# Note that the fix for this vulnerability was actually introduced in
# build 2185 for version 10 SP1. This is different than the fixed
# version (build 2190) in the Trend Micro advisory 000245572. The
# advisory includes this vulnerability along with other
# vulnerabilities. It's possible that build 2190 is the first version
# that fixed all vulnerabilities in the advisory.
#
else if (' 200 ' >< res[0] && strlen(res[2]) == 0)
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(qs:install['path'], port:port));
# Unexpected
else
{
dbg::log(msg:res[0] + res[1], ddata:res[2]);
audit(AUDIT_RESP_BAD, port);
}
Vendor | Product | Version | CPE |
---|---|---|---|
trendmicro | worry-free_business_security | cpe:/a:trendmicro:worry-free_business_security |
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.4%