header-logo
Suggest Exploit
vendor:
Sysaid
by:
Ahmed Sherif
8.8
CVSS
HIGH
GhostCat Attack
20
CWE
Product Name: Sysaid
Affected Version From: Sysaid v20.1.11 b26
Affected Version To: Sysaid v20.1.11 b26
Patch Exists: Yes
Related CWE: None
CPE: a:sysaid:sysaid:20.1.11
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows Server 2016
2020

Sysaid 20.1.11 b26 – Remote Command Execution

The default installation of Sysaid is enabling the exposure of AJP13 protocol which is used by tomcat instance, this vulnerability has been released recently on different blogposts. An attacker would be able to exploit the vulnerability and read the Web.XML of Sysaid. It was found on the Sysaid application that an attacker would be able to upload files without authenticated by directly access the below link: http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent= In the above screenshot, it shows that an attacker can execute commands in the system without any prior authentication to the system.

Mitigation:

Disable the AJP13 protocol in the Sysaid application and ensure that the application is not exposed to the public.
Source

Exploit-DB raw data:

# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
# Date: 2020-03-09
# Exploit Author: Ahmed Sherif
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
# Software Link: [https://www.sysaid.com/free-help-desk-software
# Version:  Sysaid v20.1.11 b26
# Tested on: Windows Server 2016
# CVE : None

GhostCat Attack

The default
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
by tomcat instance, this vulnerability has been released recently on
different blogposts
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.


*Proof-of-Concept*

[image: image.png]

The
attacker would be able to exploit the vulnerability and read the Web.XML of
Sysaid.
Unauthenticated File Upload

It was
found on the Sysaid application that an attacker would be able to upload files
without authenticated by directly access the below link:

http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=



In the above screenshot, it shows that an attacker can execute commands
in the system without any prior authentication to the system.

Navigation

Suggest Exploit

Services By CQR