Monday, April 2, 2012

Sysax Directory Traversal Exploit

Hello Sysax, its me again. I keep wondering when you are going to call me and offer me a free license or a candy bar, or something. The phone hasn't rung yet, I'll keep waiting.

There is a directory traversal vulnerability in Sysax Multi Server v5.55 and below. Due to the fact that the software installs and runs as LOCALSYSTEM by default, you can retrieve any file you want.

The issue occurs here:


I wrote a tool that exploits this vulnerability. It's a shitload of overkill for a directory traversal because you can just use your browser and get the same results, it was worth the exercise. The tool will grab any file of your choosing, as long as it is not in use. You must have valid credentials to log into the application and you also need have an existing sub folder or a file in your "home directory." Reason being, the directory traversal only occurs after your home directory. There may be others but I couldn't find one anywhere else. However, if you don't have a file or folder in your home directory, the script will attempt to upload a file for you. Keep in mind, if the admin is using My Documents folders for example, a Desktop.ini (hidden file) is likely already in there.

The vendor attempted to fix this in version 5.57 but their fix did not work. I will update this blog when they fix the issue.

****Update 4-25-2012****
The vendor has just notified me that this has been fixed in version 5.60

The vulnerable software is here:

The exploit is here:

Here is a video demo of the tool: