If you can chdir you can hack CA's Unified Infrastructure Manager

IT shops running CA Technologies' Unified Infrastructure Management (UMI) – formerly CA Nimsoft – need to run patches for three vulnerabilities, one remotely exploitable.

CA bought Nimsoft in 2010 to get its hands on the “single pane of glass” monitoring system, covering servers, networks, storage, and databases.

The most serious bug turned up by Trend Micro's Zero Day Initiative and “rgod” is a directory traversal bug (CVE-2016-5803) in the download_lar servlet. ZDI's note is here.

ICS-CERT says UMI doesn't spot user-supplied pathnames that “resolve to a location” that's outside the restricted directory they're meant to use.

“This allows attackers to traverse the file system to access files or directories that are outside the restricted directory. The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries,” the advisory states.

It's not particularly difficult to trigger: in version 8.4 Service Pack 1 and older, the UMI's sanitisation misses sequences like “..” that reach outside the user's directory.

CA has patched the vulnerability here, and along the way, provided fixes to two other bugs.

CVE-2016-9164 is another directory traversal bug, this time in the diag.jsp servlet.

CVE-2016-9165 is harder to exploit. It's in the get_sessions servlet, which can “return the session IDs for all active sessions. An attacker can use this information to hijack any current active session, including administrative sessions”, ZDI explains. ®