Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt

Rule Explanation

This event is generated when an attempted directory traversal attack is conducted against an internal server running Advantech WebAccess. Impact: Web Application Attack Details: Thevulnerabilityexistswhenthegmicons.asppage,exposedbytheAdvantechWebAccesswebserverlisteningonport80(HTTP), parses a multipart/form-data POST request. In particular, there is a lack of appropriate validation on the filename parameter of the picFile sub-part prior to utilizing it to form the resulting location where the picture file will be uploaded to. By placing NULL bytes within the correct location within the filename parameter, an attacker can bypass the implemented file upload checks to upload arbitrary files to the Advantech WebAccess webserver. Additionally, due to a lack of authorization checks and improper protection against directory traversal attacks, it is possible for unauthenticated attackers to exploit this vulnerability to upload files to any location on the Advantech WebAccess server that the web service has access to. Ease of Attack: Simple, no public proofs of concept yet.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2017-16736
Loading description