Think you have a false positive on this rule?

Sid 1-47472

Message

SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt

Summary

This event is generated when an attempted directory traversal attack is conducted against an internal server running Advantech WebAccess.

Impact

Web Application Attack

Detailed information

Thevulnerabilityexistswhenthegmicons.asppage,exposedbytheAdvantechWebAccesswebserverlisteningonport80(HTTP), parses a multipart/form-data POST request. In particular, there is a lack of appropriate validation on the filename parameter of the picFile sub-part prior to utilizing it to form the resulting location where the picture file will be uploaded to. By placing NULL bytes within the correct location within the filename parameter, an attacker can bypass the implemented file upload checks to upload arbitrary files to the Advantech WebAccess webserver. Additionally, due to a lack of authorization checks and improper protection against directory traversal attacks, it is possible for unauthenticated attackers to exploit this vulnerability to upload files to any location on the Advantech WebAccess server that the web service has access to.

Affected systems

  • Advantech WebAccess 3 Version 8.3.0 and prior

Ease of attack

Simple, no public proofs of concept yet.

False positives

None known.

False negatives

None known.

Corrective action

Patch as soon as corporate policies allow.

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • ics-cert.us-cert.gov/advisories/ICSA-18-004-02A