CVE-2023-47246: Uncovering the Path Traversal Vulnerability and Code Execution in SysAid On-Premise before 23.3.36

With the ever-increasing reliance on computer systems, cybersecurity concerns are becoming mandatory for any organization. One such vulnerability has been observed in SysAid On-Premise before 23.3.36, dubbed as CVE-2023-47246. This vulnerability is a path traversal exploit, leading to code execution as attackers can write a file to the Tomcat webroot. This critical vulnerability was exploited in the wild in November 2023, indicating its widespread potential for damage.

In this post, we will dive deep into CVE-2023-47246, exploring the vulnerability's origin, how the exploit works, and how to protect your systems. We highly recommend examining the official references, which are available here:

- Original CVE Entry: CVE-2023-47246
- NVD Details: NVD-CVE-2023-47246
- SysAid Release Note: SysAid 23.3.36 Release Note

Vulnerability Details

SysAid, a popular IT service management software, offers an On-Premise solution for organizations to host and manage their IT support infrastructure. According to the National Vulnerability Database (NVD), SysAid On-Premise versions before 23.3.36 had a critical path traversal vulnerability that could lead to code execution.

This vulnerability occurs due to unsafe handling of user-supplied input to the application. Attackers can manipulate the file paths provided to the system, allowing them to traverse the directory structure and gain access to sensitive information or execute malicious code by writing a file to the Tomcat webroot.

Exploit Example

An attacker can potentially create or overwrite files on the target system by submitting a specially crafted request to the vulnerable application. For instance, consider the following malicious request:

POST /sysaid-app/onprem/uploadServlet HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=xxxxxxxx

-xxxxxxxx
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../usr/local/tomcat/webapps/ROOT/malicious.jsp"
Content-Type: text/plain

<% System.out.println("Hello, World!"); %>
-xxxxxxxx--

In this example, the attacker supplies a crafted filename parameter with multiple ../ sequences. These sequences traverse the directory structure, eventually writing a file named malicious.jsp containing the malicious code in the Tomcat webroot. When this file is accessed through a web browser, the malicious code will be executed on the server.

Defense Mechanisms

To protect against this vulnerability, SysAid has released version 23.3.36, which addresses the issue. Organizations using SysAid On-Premise are encouraged to update their installations to the latest version immediately. The release note for this update can be found here: SysAid 23.3.36 Release Note

Additionally, organizations should adhere to security best practices while dealing with file uploads and user input in general. This includes input validation, output encoding, proper access controls, and regular security audits.

Conclusion

CVE-2023-47246, the path traversal vulnerability in SysAid On-Premise before 23.3.36, is a critical security concern due to its potential for code execution. As observed in the wild in November 2023, attackers can exploit this vulnerability to gain unauthorized access and compromise sensitive data.

To safeguard against this vulnerability, organizations must ensure they update their SysAid installations to version 23.3.36 or later and follow industry-standard security practices.

Timeline

Published on: 11/10/2023 06:15:30 UTC
Last modified on: 11/13/2023 17:28:37 UTC