CVE-2020-15492
published 2020-07-23CVE-2020-15492: An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85)…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.59%
96.6th percentile
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inneo | startup_tools | 12.0.66.3784 – 13.0.70.3804 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts against TCP port 85 (sut_srv.exe) containing repeated '../' sequences — the exploit uses a traversal depth of at least 10 levels ('/../' × 10). ↗
- →Alert on HTTP GET requests to port 85 whose path contains a null-byte followed by '.php' (e.g., '.log\0.php'), indicating log-poisoning / LFI-to-RCE via PHP null-byte injection. ↗
- →Monitor for HTTP GET requests to port 85 targeting paths under 'software/LOG/' combined with traversal sequences, which indicates the attacker is attempting to include a poisoned log file for RCE. ↗
- →Detect child processes of sut_srv.exe spawning powershell.exe with '-exec bypass -EncodedCommand', which is the final RCE payload delivery mechanism. ↗
- ·Affected versions are INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804 only; detections scoped to TCP port 85 should be limited to hosts running sut_srv.exe in this version range to reduce false positives. ↗
- ·The default install directory used in the exploit is 'PROGRA~2/stools'; detections referencing install paths should account for non-default installation directories. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158556/INNEO-Startup-TOOLS-2018-M040-13.0.70.3804-Remote-Code-Execution.htmlhttps://www.inneo.co.uk/en/product-development/inneo-in-house-products/startup-tools.htmlhttps://www.inneo.de/files/content/Produktentwicklung/Tools-und-Erweiterungen/Startup-TOOLS/INNEO-SA-SUT-2020-01.pdfhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txthttps://www.syss.de/pentest-blog/2020/syss-2020-028-sicherheitsschwachstelle-in-inneo-startup-tools-2017-und-2018/http://packetstormsecurity.com/files/158556/INNEO-Startup-TOOLS-2018-M040-13.0.70.3804-Remote-Code-Execution.htmlhttps://www.inneo.co.uk/en/product-development/inneo-in-house-products/startup-tools.htmlhttps://www.inneo.de/files/content/Produktentwicklung/Tools-und-Erweiterungen/Startup-TOOLS/INNEO-SA-SUT-2020-01.pdfhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txthttps://www.syss.de/pentest-blog/2020/syss-2020-028-sicherheitsschwachstelle-in-inneo-startup-tools-2017-und-2018/
2020-07-23
Published