Researcher owns blue chip managed service platforms

Powered by SC Magazine
 

Zero day dropped at #Kiwicon.

View larger image View larger image View larger image

See all pictures here »

A security researcher has found zero day vulnerabilities granting administrative access to managed service provider (MSP) platforms used by the likes of Ferrari, the US Air Force and government agencies.

The flaws existed in enterprise managed services providers Kaseya and ManageEngine and were revealed in a demonstration given at the Kiwicon 6 security conference in Wellington.

SC contacted the companies for comment.

Kiwicon 6 coverage

Kaseya president Mark Sutherland said the company was investigating the flaw.

"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system," Sutherland told SC.

"We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two."

The security researcher, name withheld, also described a recently-patched vulnerability in N-Central which granted similar admin access.

“If you drink the Kool-Aid, MSPs will also do you software deployment, endpoint security and backup – so if you own this, you basically can destroy an organisation from the inside-out,” he said.

In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent. This was accepted by the MSP due to a vulnerability in which it failed to properly validate its database.

"The way we inject our code is by modifying the registry key," he said to laughs from the audience followed by applause as a new admin hacker@hacker.com was successfully uploaded

“It's a SaaS (Software-as-a-Service) model, so you'll be able to get plenty of shells."

The demonstration of the ManageEngine vulnerability had failed during the presentation, but researcher said the exploit worked and the vulnerability had not been patched.

It worked by spoofing agent registration in version six of the MSPCentre Plus agent.

“The agent processes a single unauthenticated GET request with no signature, nothing, and – had [the demo] worked – we would have injected our XSS (Cross Site Scripting) string, gone back to the agent console, refreshed the page which makes a call back to our cookiestealer.js, load that and post it back to the server where I'd get the cookie string and then copy the cookie into Firefox," he said.

“I would have also showed uploading a Metaspolit payload to that machine and getting back system shell because the machine manages itself – and you can just do a software deployment task to deploy the metaspolit shell to it.”

Exploiting the since patched vulnerability in N-Central required a user to be logged in but no user interaction. It targeted the agent's recovery “rescue me” function, and allowed an attacker to tunnel in.

Copyright © SC Magazine, Australia


 
 
 
Top Stories
At the top of her game
A decision to bring digital operations back in-house three years ago has paid big dividends for Tabcorp.
 
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 977

Vote