PoC for CVE-2024-4885 Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution (CVE-2024-4885) 

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold.  The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges.

The vulnerability here is simple, but lets go step by step, the NmApi.exe process listens on ports 9642 and 9643, both are used to expose .NET WCF Services, the configuration for these two wcf services has been defined in a .config file at C:\Program Files (x86)\Ipswitch\WhatsUp\NmAPI.exe.config

Line 10 declares the support for WCF of type basicHttpBinding labelling it as BasicHttpBinding_ICoreServices with some other configurations such as timeout, etc

Line 41 defines an endpoint for the IRecurringReportServices contract, and sets the binding type to basicHttpBinding and the address to RecurringReport Line 58 defines two base addresses for the avaialble WCF services, line 59 defines the address for the basicHttpBinding