ID

VAR-201708-1398

CVE

CVE-2017-9640

TITLE

ALC WebCTRL i-Vu/SiteScan Web Path traversal vulnerability

DESCRIPTION

A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web 5.2 and prior. An authenticated attacker may be able to overwrite files that are used to execute code. This vulnerability does not affect version 6.5 of the software. ALC WebCTRL , i-Vu ,and SiteScan Web Contains a path traversal vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ALC WebCTRL is a building automation platform. Multiple Automated Logic Corporation Products are prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process. WebCTRL®, Automated Logic's web-based building automationsystem, is known for its intuitive user interface and powerful integrationcapabilities. It allows building operators to optimize and manageall of their building systems - including HVAC, lighting, fire, elevators,and security - all within a single HVAC controls platform. It's everythingthey need to keep occupants comfortable, manage energy conservation measures,identify key operational problems, and validate the results.WebCTRL suffers from an authenticated arbitrary code execution vulnerability. The issue is caused due to the improper verification when uploading Add-on (.addons or .war) files using the uploadwarfile servlet. This can be exploited to execute arbitrary code by uploading a malicious web archive file that will run automatically and can be accessed from within the webroot directory. Additionaly, an improper authorization access control occurs when using the 'anonymous' user. By specification, the anonymous user should not have permissions or authorization to upload or install add-ons. The anonymous user was removed from version 6.5 of WebCTRL.Tested on: Microsoft Windows 7 Professional (6.1.7601 Service Pack 1 Build 7601)Apache-Coyote/1.1Apache Tomcat/7.0.42CJServer/1.1Java/1.7.0_25-b17Java HotSpot Server VM 23.25-b01Ant 1.7.0Axis 1.4Trove 2.0.2Xalan Java 2.4.1Xerces-J 2.6.1. The vulnerability exist due to the improper permissions,with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.The application suffers from an unquoted search path issue as well impacting the service'WebCTRL Service' for Windows deployed as part of WebCTRL server solution. This couldpotentially allow an authorized but non-privileged local user to execute arbitrarycode with elevated privileges on the system. A successful attempt would require thelocal user to be able to insert their code in the system root path undetected by theOS or other security applications where it could potentially be executed duringapplication startup or reboot. If successful, the local user’s code would executewith the elevated privileges of the application.Tested on: Microsoft Windows 7 Professional SP1 (EN). Desc: The vulnerability is triggered by an authenticated user that can use the manualcommand console in the management panel of the affected application. The ManualCommand() function in ManualCommand.js allows users to perform additional diagnostics and settings overview by using pre-defined set of commands. This can be exploited by using the echo command to write and/or overwrite arbitrary files on the system including directory traversal throughout the system

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Path traversal

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Vulnerability discovered by Gjoko Krstic

SOURCES

LAST UPDATE DATE

2025-04-20T23:04:20.569000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE