Tuesday, June 19, 2012

Sysax Admin Interface Local Priv Exploit

Sysax has an administrative interface that when enabled, is bound to on port 88. This interface has a buffer overflow vulnerability in the "e2" parameter of the "scriptpathbrowse2.htm" functionality. The exploit I wrote is a local privilege escalation exploit but the vulnerability could be remotely exploitable in the right circumstances. The user would simply have to enable the functionality and bind it to

This is the option you need set for the local exploit to work:


The same issue exists for the following other pages:
  • force_homepath_browse2.htm 
  • pathbrowse2.htm
  • newaccountbrowse2.htm
Basically any place you can browse for a file or "go up to parent directory" the BoF exists.

Here is a demo of the exploit:


Sysax has fixed this in version 5.64.

No comments: