PoC for CVE-2024-4885 Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-4885)
In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.
The vulnerability here is simple, but lets go step by step, the NmApi.exe
process listens on ports 9642 and 9643, both are used to expose .NET WCF Services, the configuration for these two wcf services has been defined in a .config
file at C:\Program Files (x86)\Ipswitch\WhatsUp\NmAPI.exe.config
Line 10 declares the support for WCF of type basicHttpBinding
labelling it as BasicHttpBinding_ICoreServices
with some other configurations such as timeout, etc
Line 41 defines an endpoint for the IRecurringReportServices
contract, and sets the binding type to basicHttpBinding
and the address to RecurringReport
Line 58 defines two base addresses for the avaialble WCF services, line 59 defines the address for the basicHttpBinding
What do you think?
It is nice to know your opinion. Leave a comment.