up.time 7.5.0 Upload And Execute File Exploit

Title: up.time 7.5.0 Upload And Execute File Exploit
Advisory ID: ZSL-2015-5254
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.08.2015
Summary
The next-generation of IT monitoring software.
Description
up.time suffers from arbitrary command execution. Attackers can exploit this issue using the monitor service feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF, Privilege Escalation, Arbitrary text file creation and renaming that file to php for example in arbitrary location and executing system commands with SYSTEM privileges.
Vendor
Idera Inc. - http://www.uptimesoftware.com
Affected Version
7.5.0 (build 16) and 7.4.0 (build 13)
Tested On
Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vendor Status
[29.07.2015] Vulnerability discovered.
[06.08.2015] Vendor contacted.
[18.08.2015] No response from the vendor.
[19.08.2015] Public security advisory released.
PoC
uptime_cmd.txt
Credits
Vulnerability discovered by Ewerson Guimaraes - <crash@dclabs.com.br>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5253.php
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
[3] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
[4] http://cxsecurity.com/issue/WLB-2015080117
[5] https://www.exploit-db.com/exploits/37888/
[6] https://packetstormsecurity.com/files/133255
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/105873
[8] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/uptime_file_upload_2.rb
[9] https://cxsecurity.com/issue/WLB-2015110103
[10] https://cxsecurity.com/issue/WLB-2015110102
[11] https://packetstormsecurity.com/files/134333
[12] https://community.rapid7.com/community/metasploit/blog/2015/11/20/weekly-metasploit-wrapup
[13] http://www.rapid7.com/db/modules/exploit/multi/http/uptime_file_upload_2
Changelog
[19.08.2015] - Initial release
[13.09.2015] - Added reference [4], [5], [6] and [7]
[14.11.2015] - Added reference [8], [9] and [10]
[15.11.2015] - Added reference [11]
[23.11.2015] - Added reference [12] and [13]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk