Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability

Title: Gemalto Sentinel License Manager 18.0.1 Directory Traversal Vulnerability
Advisory ID: ZSL-2016-5330
Type: Local/Remote
Impact: Manipulation of data, DoS
Risk: (3/5)
Release Date: 16.06.2016
Summary
The Sentinel License Manager enforces and manages licensing in multi-user environment. It keeps track of all the licenses and handles requests from network users who want to run your application, granting authorization to the requesters to allow them to run the application, and denying requests when all licenses are in use. It is an integral component of the network licensing schemes that can be implemented with Sentinel RMS, namely server-locked licenses, site licenses and commuter licenses.
Description
Input passed via the 'alpremove' and 'check_in_file' parameters is not properly verified in '/_int_/action.html' and '/_int_/checkin_file.html' before being used to delete and create files. This can be exploited to arbitrarily delete sensitive information on a system and/or write files via directory traversal attacks.
Vendor
Gemalto NV | SafeNet, Inc - http://www.gemalto.com | http://www.safenet-inc.com
Affected Version
18.0.1.55505
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
HASP LM/18.00 (web server)
Vendor Status
N/A
PoC
hasp_dir.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/39968/
[2] https://cxsecurity.com/issue/WLB-2016060121
[3] https://packetstormsecurity.com/files/137513
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/114209
Changelog
[16.06.2016] - Initial release
[18.06.2016] - Added reference [2] and [3]
[21.06.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk