Brit infosec bod finds Kaseya 'master admin' remote code exec holes

Three remote code execution and privilege escalation flaws have been reported in the Kaseya IT management software which when chained enable unauthenticated attackers to gain 'master admin' status.

The remote upload holes reported by British Agile Information Security bod Pedro Ribeiro and since patched allow attackers to upload arbitrary code to Kaseya Virtual System Administrator.

Any net crim can exploit words one vulnerability (CVE-2015-6922) to upload and execute arbitrary code on the server under the context of IIS.

That flaw rated a severity score of 7.5 exists within the uploader.aspx page which fails to enforce authentication and does not restrict destination file paths.

A privilege escalation flaw in the same feature and also rated 7.5 uin severity will make attackers 'master admins'.

That happens because the forwarding service in the setaccount.aspx page does not properly enforce user authentication before they can manipulate accounts.

"Attackers can use this vulnerability to become "Master Admin" in the application and execute arbitrary code on all managed devices," the Zero Day Initiative advisory states.

Ribeiro rounds out the trio of holes with a less serious authenticated remote code execution vulnerability rated 6.5.

It exists within the json.ashx HTTP handler that does not restrict destination file paths. Attackers can leverage this vulnerability to upload and execute arbitrary code on the server under the context of IIS. ®