Pages

Monday, April 2, 2012

Sysax Directory Traversal Exploit

Hello Sysax, its me again. I keep wondering when you are going to call me and offer me a free license or a candy bar, or something. The phone hasn't rung yet, I'll keep waiting.

There is a directory traversal vulnerability in Sysax Multi Server v5.55 and below. Due to the fact that the software installs and runs as LOCALSYSTEM by default, you can retrieve any file you want.

The issue occurs here:

http://TARGET/scgi?sid=46de6680d6e99131e29ac1d58a49b286fce6e228&file=c:\SOMEDIRECTORY\../../../../../../../boot.ini

I wrote a tool that exploits this vulnerability. It's a shitload of overkill for a directory traversal because you can just use your browser and get the same results, it was worth the exercise. The tool will grab any file of your choosing, as long as it is not in use. You must have valid credentials to log into the application and you also need have an existing sub folder or a file in your "home directory." Reason being, the directory traversal only occurs after your home directory. There may be others but I couldn't find one anywhere else. However, if you don't have a file or folder in your home directory, the script will attempt to upload a file for you. Keep in mind, if the admin is using My Documents folders for example, a Desktop.ini (hidden file) is likely already in there.

The vendor attempted to fix this in version 5.57 but their fix did not work. I will update this blog when they fix the issue.

****Update 4-25-2012****
The vendor has just notified me that this has been fixed in version 5.60

The vulnerable software is here:
http://www.mediafire.com/download.php?iebrbz2n04vm6sr

The exploit is here:
http://www.exploit-db.com/exploits/18695/

Here is a video demo of the tool:
https://vimeo.com/39704656

4 comments:

Rudra said...

Hi Craig
I have been following your blogs for quite some time now, thanks for writing.
A general question : what steps do you follow to release a exploit? do you contact the vendor yourself ? What happens if they are not happy and they release the lawyers on you? If you submit the exploit to exploit-db, do they assume any liability, i guess not. was just curious what approach is supposed to be followed
-Amol

Craig said...

I try to loosely follow the responsible disclosure policies that Accuvant and Rapid7 publish.

All the vendors that I've worked with for my bugs have been pretty cooperative. Sysax for example, fixes their bugs very quickly, which is awesome. Most vendors are thankful that I've contacted them and ultimately want to make their product more secure.

I generally contact the vendor, give them a week or so to respond, provide the details (always maintaining a professional tone and advising why I am doing what I am doing). Then I give them a reasonable amount of time to fix the vuln and then release the exploit. However, sometimes they don't respond so it becomes a judgement call on what to do. If it's a very serious bug you can keep contacting them but even Accuvant and Rapid7 will publicly disclose if the vendor simply ignores their notifications after a certain amount of time.

If you act professional and reasonable the vendor isn't going to send the lawyers after you. However, none of the bugs I have found are earth shattering so it's never even been an issue. With that said, a guy like Luigi Auriemma who's found a lot of SCADA bugs might have dealt with stickier situations. My bugs have all been "off the radar" (except for sysax username bof) so it's never been a problem for me.

Lomos said...

Hello
Do you have any idea about this error:

[*] Logging in
Traceback (most recent call last):
File "18695.py", line 134, in
main()
File "18695.py", line 48, in main
page = r.recv(4096)
socket.error: [Errno 10054] An existing connection was forcibly closed by the remote host

Craig said...

Sounds like you're connecting to the wrong port. Can you manually envoke the dir trav by browsing to boot.ini with your browser? Note the URL I mention in the beginning of the post...