The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File WriteAutomated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write
Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, SiteScan Web 6.1 and prior
ALC WebCTRL, i-Vu 6.0 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior
Summary: WebCTRLA(r), Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.
Desc: The vulnerability is triggered by an authenticated user that can use
the manualcommand console in the management panel of the affected application.
The ManualCommand() function in ManualCommand.js allows users to perform additional
diagnostics and settings overview by using pre-defined set of commands. This
can be exploited by using the echo command to write and/or overwrite arbitrary
files on the system including directory traversal throughout the system.
Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
Apache-Coyote/1.1
Apache Tomcat/7.0.42
CJServer/1.1
Java/1.7.0_25-b17
Java HotSpot Server VM 23.25-b01
Ant 1.7.0
Axis 1.4
Trove 2.0.2
Xalan Java 2.4.1
Xerces-J 2.6.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5430
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php
CVE ID: CVE-2017-9640
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640
30.01.2017
--
PoC:
GET /_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331 HTTP/1.1
Host: TARGET
---
GET http://TARGET/touch.txt HTTP/1.1
peend
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum