CVE-2015-6589
published 2020-02-13CVE-2015-6589: Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.58%
96.0th percentile
Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.0.0.0 before 7.0.0.33, 8..0.0.0 before 8.0.0.23, 9.0.0.0 before 9.0.0.19, and 9.1.0.0 before 9.1.0.9 allows remote authenticated users to write to and execute arbitrary files due to insufficient restrictions in file paths to json.ashx.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | virtual_system_administrator | >= 7.0.0.0 < 7.0.0.33 | 7.0.0.33 |
| kaseya | virtual_system_administrator | >= 8.0.0.0 < 8.0.0.23 | 8.0.0.23 |
| kaseya | virtual_system_administrator | >= 9.0.0.0 < 9.0.0.19 | 9.0.0.19 |
| kaseya | virtual_system_administrator | >= 9.1.0.0 < 9.1.0.9 | 9.1.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart POST requests to /vsapres/web20/json.ashx containing a 'directory' field with path traversal sequences (e.g., '../WebPages') and a 'request' field set to 'uploadFile'. ↗
- →Alert on multipart form-data uploads to json.ashx where the 'directory' parameter contains '../' directory traversal sequences. ↗
- →Detect upload of .asp or .aspx webshell files via the 'impinf__uploadfilelocation' form field in requests to json.ashx. ↗
- →Look for the 'ReferringWebWindowId' parameter (GUID format) in POST requests to /vsapres/web20/json.ashx, which is required by the exploit to authenticate the upload. ↗
- →Monitor for new .asp/.aspx files appearing directly under the Kaseya WebPages root directory, which would indicate a successful traversal-based upload. ↗
- →Detect sequential GET requests to /vsapres/web20/core/login.aspx followed immediately by a POST to /vsapres/web20/json.ashx with a multipart upload — characteristic of the kazPwn exploit chain. ↗
- ·The exploit requires the attacker to be authenticated; an active VSA session cookie and a valid ReferringWebWindowId (GUID) must be obtained before the upload request is made. ↗
- ·The directory traversal path '../WebPages' assumes the default Kaseya installation path (C:\Kaseya\WebPages\); non-default install paths may require a different traversal string, and Kaseya reportedly discloses invalid paths in error responses. ↗
- ·CVE-2015-6589 (authenticated) is distinct from CVE-2015-6922 (unauthenticated upload and privilege escalation); detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
exploitdb·2015-09-29·CVSS 9.8
CVE-2015-6922 [CRITICAL] Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
---
Kaseya VSA is an IT management platform for small and medium corporates.
From its console you can control thousands of computers and mobile
devices. So that if you own the Kaseya server, you own the organisation.
With this post I'm also releasing two Metasploit modules ([E1], [E2])
and a Ruby file ([E3]) that exploit the vulnerabilities described below.
A special thanks to ZDI for assisting with the disclosure of these
vulnerabilities. The full advisory text is below, but can also be
obtained from my repo at [E4].
[E1] https://github.com/rapid7/metasploit-framework/pull/6018
[E2] https://github.com/rapid7/metasploit-framework/pull/6019
[E3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
Exploit-DB
Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload
exploitdb·2015-09-28·CVSS 8.8
CVE-2015-6589 [HIGH] Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload
Kaseya Virtual System Administrator (VSA) 7.0 / Agile Information Security
# Disclosure date: 28/09/2015
#
# Usage: ./kazPwn.rb http[s]://[:port]
#
# execjs and mechanize gems are required to run this exploit
#
# According to Kaseya's advisory, this exploit should work for the following VSA versions:
# VSA Version 7.0.0.0 – 7.0.0.32
# VSA Version 8.0.0.0 – 8.0.0.22
# VSA Version 9.0.0.0 – 9.0.0.18
# VSA Version 9.1.0.0 – 9.1.0.8
# This exploit has been tested with v8 and v9.
#
# Check out these two companion vulnerabilities, both of which have Metasploit modules:
# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448)
#
# This code is released under the GNU General Public License v3
# http://www.gnu
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-15-450https://www.exploit-db.com/exploits/38351/https://www.securityfocus.com/bid/76838http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-15-450https://www.exploit-db.com/exploits/38351/https://www.securityfocus.com/bid/76838
2020-02-13
Published