Lucene search

K
zdtAhmed Sherif1337DAY-ID-34281
HistoryApr 21, 2020 - 12:00 a.m.

Sysaid 20.1.11 b26 Remote Command Execution Vulneravility

2020-04-2100:00:00
Ahmed Sherif
0day.today
38

EPSS

0.007

Percentile

80.9%

Sysaid version 20.1.11 b26 suffers from an AJP13 remote command execution vulnerability.

# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version:  Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : CVE-2020-10569

GhostCat Attack

The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.


*Proof-of-Concept*

[image: image.png]

*Unauthenticated File Upload
*
It was found on the Sysaid application that an attacker would be able
to upload files without authenticated by directly access the below
link:
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=



In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.

#  0day.today [2020-07-20]  #

EPSS

0.007

Percentile

80.9%