up.time 7.5.0 Upload And Execute File Exploit
Title: up.time 7.5.0 Upload And Execute File Exploit
Advisory ID: ZSL-2015-5254
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.08.2015
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
[06.08.2015] Vendor contacted.
[18.08.2015] No response from the vendor.
[19.08.2015] Public security advisory released.
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
[3] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
[4] http://cxsecurity.com/issue/WLB-2015080117
[5] https://www.exploit-db.com/exploits/37888/
[6] https://packetstormsecurity.com/files/133255
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/105873
[13.09.2015] - Added reference [4], [5], [6] and [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5254
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 19.08.2015
Summary
The next-generation of IT monitoring software.Description
up.time suffers from arbitrary command execution. Attackers can exploit this issue using the monitor service feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF, Privilege Escalation, Arbitrary text file creation and renaming that file to php for example in arbitrary location and executing system commands with SYSTEM privileges.Vendor
Idera Inc. - http://www.uptimesoftware.comAffected Version
7.5.0 (build 16) and 7.4.0 (build 13)Tested On
Jetty, PHP/5.4.34, MySQLApache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vendor Status
[29.07.2015] Vulnerability discovered.[06.08.2015] Vendor contacted.
[18.08.2015] No response from the vendor.
[19.08.2015] Public security advisory released.
PoC
uptime_cmd.txtCredits
Vulnerability discovered by Ewerson Guimaraes - <crash@dclabs.com.br>References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5253.php[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
[3] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
[4] http://cxsecurity.com/issue/WLB-2015080117
[5] https://www.exploit-db.com/exploits/37888/
[6] https://packetstormsecurity.com/files/133255
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/105873
Changelog
[19.08.2015] - Initial release[13.09.2015] - Added reference [4], [5], [6] and [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk