Vulnerability overview

近期发现一个企业微信私有化历史版本的后台 API 执行权限漏洞,攻击者可以通过发送特定报文, 获取通信录信息和应用权限,通过存在漏洞风险的API，https://cncso.com/cgi-bin/gateway/agentinfo接口未授权可直接获取企业微信secret等敏感信息，可导致企业微信全量数据被获取，文件获取、使用企业微信轻应用对企业内部发送钓鱼文件和链接等。

On August 12, 2023, Tencent provided emergency operation and maintenance configuration methods and background security patches to repair all versions. Affected users can complete the vulnerability repair through upgraded versions or security hardening patches.

Affected versions

Among them, versions 2.7.x, 2.8.x, and 2.9.x are not affected by this vulnerability and do not need to be processed.

Vulnerability hazards:

An attacker can exploit this vulnerability to obtain background address book information and application permissions.

Just visit https://cncso.com/cgi-bin/gateway/agentinfo to get the enterprise ID and Secret.

Vulnerability exploitation can be achieved using the official enterprise developer API

Risks and Solutions

1. Official plan:

Without security gateway and application proxy, on all logical machines
Intercept the specified API. Security gateways and application proxies are being used to intercept specified APIs on all access machines and update background patch packages.

For details on the affected disposal plan, please refer to the original Enterprise WeChat Wiki.
https://tapd.tencent.com/WeWorkLocalDocu/markdown_wikis/show/#1220382282002540011

2. Temporary hemostasis:

Configure protection rules on waf and block those matching the /cgi-bin/gateway/agentinfo path.

Vulnerability Reference >>

https://stack.chaitin.com/vuldb/detail/746ba950-8bcb-4c2e-9704-b2338332e8f9