Vulnerability overview
Recently, a backend API execution permission vulnerability in the historical version of enterprise WeChat privatization was discovered. An attacker can obtain address book information and application permissions by sending specific messages. Through the API with vulnerability risk, https://cncso.com/cgi- The bin/gateway/agentinfo interface can directly obtain sensitive information such as corporate WeChat secrets without authorization, which can lead to the acquisition of all corporate WeChat data, file acquisition, and the use of corporate WeChat light applications to send phishing files and links within the enterprise.
![[Vulnerability Warning] Unauthorized vulnerability in the API interface of the private version of Enterprise WeChat](https://cncso.com/wp-content/uploads/2023/08/work.png)
![[Vulnerability Warning] Unauthorized vulnerability in the API interface of the private version of Enterprise WeChat](https://cncso.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
On August 12, 2023, Tencent provided emergency operation and maintenance configuration methods and background security patches to repair all versions. Affected users can complete the vulnerability repair through upgraded versions or security hardening patches.
Affected versions
| product name | Affected versions |
| Enterprise WeChat privatization deployment (including government WeChat) | 2.5.X version 2.6.930000 |
Among them, versions 2.7.x, 2.8.x, and 2.9.x are not affected by this vulnerability and do not need to be processed.
Vulnerability hazards:
An attacker can exploit this vulnerability to obtain background address book information and application permissions.
Just visit https://cncso.com/cgi-bin/gateway/agentinfo to get the enterprise ID and Secret.
![[Vulnerability Warning] Unauthorized vulnerability in the API interface of the private version of Enterprise WeChat](https://cncso.com/wp-content/uploads/2023/08/key.png)
Vulnerability exploitation can be achieved using the official enterprise developer API
![[Vulnerability Warning] Unauthorized vulnerability in the API interface of the private version of Enterprise WeChat](https://cncso.com/wp-content/uploads/2023/08/poc.png)
Risks and Solutions
1. Official plan:
Without security gateway and application proxy, on all logical machines
Intercept the specified API. Security gateways and application proxies are being used to intercept specified APIs on all access machines and update background patch packages.
For details on the affected disposal plan, please refer to the original Enterprise WeChat Wiki.
https://tapd.tencent.com/WeWorkLocalDocu/markdown_wikis/show/#1220382282002540011
2. Temporary hemostasis:
Configure protection rules on waf and block those matching the /cgi-bin/gateway/agentinfo path.
Vulnerability Reference >>
https://stack.chaitin.com/vuldb/detail/746ba950-8bcb-4c2e-9704-b2338332e8f9
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/enterprise-wechat-api-interface-unauthorized-vulnerabilities-html
