CVE-2020-7869 - OpenCVE

An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file. The ZOOK viewer has the "Tight file CMD" function to create file. An attacker could create and execute arbitrary file in the ZOOK agent program using "Tight file CMD" without authority.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Mastersoft	Zook

Configuration 1 [-]

AND

cpe:2.3:a:mastersoft:zook:2.0.4.6:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36090	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: krcert

Published: 2021-06-29T13:48:53

Updated: 2021-06-29T13:48:53

Reserved: 2020-01-22T00:00:00

Link: CVE-2020-7869

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-29T14:15:08.237

Modified: 2021-07-02T19:09:33.757

Link: CVE-2020-7869

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "ZOOK", "vendor": "mastersoft", "versions": [{"lessThanOrEqual": "2.0.4.6", "status": "affected", "version": "2.0.4.6", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file. The ZOOK viewer has the \"Tight file CMD\" function to create file. An attacker could create and execute arbitrary file in the ZOOK agent program using \"Tight file CMD\" without authority."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-29T13:48:53", "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "shortName": "krcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36090"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@krcert.or.kr", "ID": "CVE-2020-7869", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ZOOK", "version": {"version_data": [{"platform": "Windows", "version_affected": "<=", "version_name": "2.0.4.6", "version_value": "2.0.4.6"}]}}]}, "vendor_name": "mastersoft"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file. The ZOOK viewer has the \"Tight file CMD\" function to create file. An attacker could create and execute arbitrary file in the ZOOK agent program using \"Tight file CMD\" without authority."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36090", "refsource": "MISC", "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36090"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "assignerShortName": "krcert", "cveId": "CVE-2020-7869", "datePublished": "2021-06-29T13:48:53", "dateReserved": "2020-01-22T00:00:00", "dateUpdated": "2021-06-29T13:48:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mastersoft:zook:2.0.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "D4F41C7A-075F-4CDA-B710-B1DD62FED76E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability of ZOOK software (remote administration tool) could allow a remote attacker to create arbitrary file. The ZOOK viewer has the \"Tight file CMD\" function to create file. An attacker could create and execute arbitrary file in the ZOOK agent program using \"Tight file CMD\" without authority."}, {"lang": "es", "value": "Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada del software ZOOK (herramienta de administraci\u00f3n remota) podr\u00eda permitir a un atacante remoto crear un archivo arbitrario. La visualizaci\u00f3n ZOOK presenta la funci\u00f3n \"Tight file CMD\" para crear archivos. Un atacante podr\u00eda crear y ejecutar un archivo arbitrario en el programa agente ZOOK usando \"Tight file CMD\" sin autoridad"}], "id": "CVE-2020-7869", "lastModified": "2021-07-02T19:09:33.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "vuln@krcert.or.kr", "type": "Secondary"}]}, "published": "2021-06-29T14:15:08.237", "references": [{"source": "vuln@krcert.or.kr", "tags": ["Third Party Advisory"], "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36090"}], "sourceIdentifier": "vuln@krcert.or.kr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "vuln@krcert.or.kr", "type": "Secondary"}]}