Researcher owns blue chip managed service platforms

Powered by SC Magazine
 

Zero day dropped at #Kiwicon.

View larger image View larger image View larger image

See all pictures here »

A security researcher has found zero day vulnerabilities granting administrative access to managed service provider (MSP) platforms used by the likes of Ferrari, the US Air Force and government agencies.

The flaws existed in enterprise managed services providers Kaseya and ManageEngine and were revealed in a demonstration given at the Kiwicon 6 security conference in Wellington.

SC contacted the companies for comment.

Kiwicon 6 coverage

Kaseya president Mark Sutherland said the company was investigating the flaw.

"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system," Sutherland told SC.

"We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two."

The security researcher, name withheld, also described a recently-patched vulnerability in N-Central which granted similar admin access.

“If you drink the Kool-Aid, MSPs will also do you software deployment, endpoint security and backup – so if you own this, you basically can destroy an organisation from the inside-out,” he said.

In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent. This was accepted by the MSP due to a vulnerability in which it failed to properly validate its database.

"The way we inject our code is by modifying the registry key," he said to laughs from the audience followed by applause as a new admin hacker@hacker.com was successfully uploaded

“It's a SaaS (Software-as-a-Service) model, so you'll be able to get plenty of shells."

The demonstration of the ManageEngine vulnerability had failed during the presentation, but researcher said the exploit worked and the vulnerability had not been patched.

It worked by spoofing agent registration in version six of the MSPCentre Plus agent.

“The agent processes a single unauthenticated GET request with no signature, nothing, and – had [the demo] worked – we would have injected our XSS (Cross Site Scripting) string, gone back to the agent console, refreshed the page which makes a call back to our cookiestealer.js, load that and post it back to the server where I'd get the cookie string and then copy the cookie into Firefox," he said.

“I would have also showed uploading a Metaspolit payload to that machine and getting back system shell because the machine manages itself – and you can just do a software deployment task to deploy the metaspolit shell to it.”

Exploiting the since patched vulnerability in N-Central required a user to be logged in but no user interaction. It targeted the agent's recovery “rescue me” function, and allowed an attacker to tunnel in.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 316

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 121

Vote