A security researcher has found zero day vulnerabilities granting administrative access to managed service provider (MSP) platforms used by the likes of Ferrari, the US Air Force and government agencies.
The flaws existed in enterprise managed services providers Kaseya and ManageEngine and were revealed in a demonstration given at the Kiwicon 6 security conference in Wellington.
SC contacted the companies for comment.
Kaseya president Mark Sutherland said the company was investigating the flaw.
"Kaseya always welcomes hearing directly from anyone who thinks they have found a hole, or have shown an exploit (as in this case), or is just worried about security of our system," Sutherland told SC.
"We take this extremely seriously and drop everything to re-mediate the problem as soon as we hear of it. Typically we get a patch out within a day or two."
The security researcher, name withheld, also described a recently-patched vulnerability in N-Central which granted similar admin access.
“If you drink the Kool-Aid, MSPs will also do you software deployment, endpoint security and backup – so if you own this, you basically can destroy an organisation from the inside-out,” he said.
In the demonstration, the researcher created an administrator account on Kaseya by injecting malicious script into a registry key used by the Kaseya user agent. This was accepted by the MSP due to a vulnerability in which it failed to properly validate its database.
"The way we inject our code is by modifying the registry key," he said to laughs from the audience followed by applause as a new admin firstname.lastname@example.org was successfully uploaded
“It's a SaaS (Software-as-a-Service) model, so you'll be able to get plenty of shells."
The demonstration of the ManageEngine vulnerability had failed during the presentation, but researcher said the exploit worked and the vulnerability had not been patched.
It worked by spoofing agent registration in version six of the MSPCentre Plus agent.
“The agent processes a single unauthenticated GET request with no signature, nothing, and – had [the demo] worked – we would have injected our XSS (Cross Site Scripting) string, gone back to the agent console, refreshed the page which makes a call back to our cookiestealer.js, load that and post it back to the server where I'd get the cookie string and then copy the cookie into Firefox," he said.
“I would have also showed uploading a Metaspolit payload to that machine and getting back system shell because the machine manages itself – and you can just do a software deployment task to deploy the metaspolit shell to it.”
Exploiting the since patched vulnerability in N-Central required a user to be logged in but no user interaction. It targeted the agent's recovery “rescue me” function, and allowed an attacker to tunnel in.