CVE-2015-6922
published 2020-02-17CVE-2015-6922: Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.10%
99.6th percentile
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaseya | virtual_system_administrator | >= 7.0.0.0 < 7.0.0.33 | 7.0.0.33 |
| kaseya | virtual_system_administrator | >= 8.0.0.0 < 8.0.0.23 | 8.0.0.23 |
| kaseya | virtual_system_administrator | >= 9.0.0.0 < 9.0.0.19 | 9.0.0.19 |
| kaseya | virtual_system_administrator | >= 9.1.0.0 < 9.1.0.9 | 9.1.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /LocalAuth/setAccount.aspx sessionVal=&adminName=&NewPassword=&confirm=&[email protected]&setAccount=Create↗
- →Detect unauthenticated GET requests to /ConfigTab/uploader.aspx or /ConfigTab/serverfiles.asp — the server issues a 302 redirect to /mainLogon.asp?logout= but also sets a valid sessionId cookie, which attackers harvest for subsequent unauthenticated file upload. ↗
- →Alert on POST requests to /LocalAuth/setAccount.aspx containing the parameter setAccount=Create — this is the unauthenticated Master Administrator account creation exploit. ↗
- →Monitor for .asp file creation under Kaseya WebPages directories (C:\Kaseya\WebPages\, C:\Program Files\Kaseya\WebPages\, etc.) by the IUSR account, which indicates successful webshell deployment via the uploader.aspx vulnerability. ↗
- →The exploit response check for successful upload is the JSON string '"success": "true"' in the HTTP 200 response body from /ConfigTab/uploader.aspx — monitor for this pattern in web server logs. ↗
- ·The uploader.aspx endpoint issues a 302 redirect to /mainLogon.asp?logout= for unauthenticated requests, but still sets a valid sessionId cookie in the response. Attackers intentionally ignore the redirect and extract the sessionId from the 302 response to use in the subsequent file upload POST — network controls that only block non-302 unauthenticated access are insufficient. ↗
- ·The PathData parameter accepts a full absolute Windows path; the application discloses whether a given path exists or not, allowing attackers to enumerate valid installation directories before uploading. Detection rules should cover all common drive letters (C:, D:, E:) and both 32-bit and 64-bit Program Files paths. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)
exploitdb·2015-10-05
CVE-2015-6922 Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)
Kaseya Virtual System Administrator (VSA) - 'uploader.aspx' Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Kaseya VSA uploader.aspx Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions
between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary
directory leading to arbitrary code execution with IUSR privileges. This module has been
tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
},
'Author' =>
[
'Pedro Ribeiro ' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
Exploit-DB
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
exploitdb·2015-09-29·CVSS 9.8
CVE-2015-6922 [CRITICAL] Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)
---
Kaseya VSA is an IT management platform for small and medium corporates.
From its console you can control thousands of computers and mobile
devices. So that if you own the Kaseya server, you own the organisation.
With this post I'm also releasing two Metasploit modules ([E1], [E2])
and a Ruby file ([E3]) that exploit the vulnerabilities described below.
A special thanks to ZDI for assisting with the disclosure of these
vulnerabilities. The full advisory text is below, but can also be
obtained from my repo at [E4].
[E1] https://github.com/rapid7/metasploit-framework/pull/6018
[E2] https://github.com/rapid7/metasploit-framework/pull/6019
[E3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
Exploit-DB
Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload
exploitdb·2015-09-28·CVSS 8.8
CVE-2015-6589 [HIGH] Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload
Kaseya Virtual System Administrator (VSA) 7.0 / Agile Information Security
# Disclosure date: 28/09/2015
#
# Usage: ./kazPwn.rb http[s]://[:port]
#
# execjs and mechanize gems are required to run this exploit
#
# According to Kaseya's advisory, this exploit should work for the following VSA versions:
# VSA Version 7.0.0.0 – 7.0.0.32
# VSA Version 8.0.0.0 – 8.0.0.22
# VSA Version 9.0.0.0 – 9.0.0.18
# VSA Version 9.1.0.0 – 9.1.0.8
# This exploit has been tested with v8 and v9.
#
# Check out these two companion vulnerabilities, both of which have Metasploit modules:
# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448)
#
# This code is released under the GNU General Public License v3
# http://www.gnu
Metasploit
Kaseya VSA uploader.aspx Arbitrary File Upload
metasploit
Kaseya VSA uploader.aspx Arbitrary File Upload
Kaseya VSA uploader.aspx Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
Metasploit
Kaseya VSA Master Administrator Account Creation
metasploit
Kaseya VSA Master Administrator Account Creation
Kaseya VSA Master Administrator Account Creation
This module abuses the setAccount page on Kaseya VSA between 7 and 9.1 to create a new Master Administrator account. Normally this page is only accessible via the localhost interface, but the application does nothing to prevent this apart from attempting to force a redirect. This module has been tested with Kaseya VSA v7.0.0.17, v8.0.0.10 and v9.0.0.3.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-15-448http://www.zerodayinitiative.com/advisories/ZDI-15-449https://helpdesk.kaseya.com/entries/96164487--Kaseya-Security-Advisoryhttps://www.exploit-db.com/exploits/38351/http://packetstormsecurity.com/files/133782/Kaseya-Virtual-System-Administrator-Code-Execution-Privilege-Escalation.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-15-448http://www.zerodayinitiative.com/advisories/ZDI-15-449https://helpdesk.kaseya.com/entries/96164487--Kaseya-Security-Advisoryhttps://www.exploit-db.com/exploits/38351/
2020-02-17
Published