up.time 7.5.0 Arbitrary File Disclose And Delete Exploit

2015-08-19T00:00:00
ID ZSL-2015-5253
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-08-19T00:00:00

Description

Title: up.time 7.5.0 Arbitrary File Disclose And Delete Exploit
Advisory ID: ZSL-2015-5253
Type: Local/Remote
Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS
Risk: (3/5)
Release Date: 19.08.2015

Summary

The next-generation of IT monitoring software.

Description

Input passed to the 'file_name' parameter in 'get2post.php' script is not properly sanitised before being used to get the contents of a resource and delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server using a proxy tool.

Vendor

Idera Inc. - <http://www.uptimesoftware.com>

Affected Version

7.5.0 (build 16) and 7.4.0 (build 13)

Tested On

Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34

Vendor Status

[29.07.2015] Vulnerability discovered.
[06.08.2015] Vendor contacted.
[18.08.2015] No response from the vendor.
[19.08.2015] Public security advisory released.

PoC

uptime_dt.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php>
[2] <http://cxsecurity.com/issue/WLB-2015080118>
[3] <https://www.exploit-db.com/exploits/37887/>
[4] <https://packetstormsecurity.com/files/133254>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/105949>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/105950>

Changelog

[19.08.2015] - Initial release
[13.09.2015] - Added reference [2], [3], [4], [5] and [6]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
up.time 7.5.0 Arbitrary File Disclose And Delete Exploit


Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)

Summary: The next-generation of IT monitoring software.

Desc: Input passed to the 'file_name' parameter in 'get2post.php'
script is not properly sanitised before being used to get
the contents of a resource and delete files. This can be
exploited to read and delete arbitrary data from local
resources with the permissions of the web server using a
proxy tool.

Tested on: Jetty, PHP/5.4.34, MySQL
           Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5253
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5253.php


29.07.2015

--


http://127.0.0.1:9999/wizards/get2post.php?file_name=C:\\test.txt