Tuesday, January 17, 2012

Sysax Multi Server 5.50 Exploit

Jan 26, 2012:
None of the stuff below matters because my original exploit sucked, but I managed to convert it to a Metasploit module and automate the SID gathering process:

Jan 15, 2012:
Here are the notes and assumptions for the Sysax bug I found:
  1. HTTP has to be enabled as a connection protocol which is not a default setting. This essentially turns the FTP server into a web based file transfer service.
  2. This exploit requires authentication.
  3. The authenticated user needs to have "create" permission for folders enabled, which is also not a default setting.
  4. This exploit requires a "SID" parameter. This can be found by logging into the web app and clicking on the "create folder" link. The SID is in your address bar. It's 40 bytes long between the = and &. I could not figure out how this was generated by the system so this is a manual process.
  5. Sysax Multi Server runs as LOCALSYSTEM by default ;)
I suspect there are other bugs in this web app. During fuzzing, I was able to get this app to crash but this was the only bug that would consistently crash the app.

Bravo to the vendor for quickly addressing this issue 2 days after I reported it and posting a fix, version 5.52.

The vendor already removed the old version from their site. To get a copy of the vulnerable 5.50 version you can get it from here:

For the exploit, go here:

No comments: