Kaseya KServer Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unrestricted file uploads has been identified in Kaseya KServer versions prior to 6.3.0.2. The issue arises in the uploadImage.asp endpoint, where unauthenticated users can upload files to arbitrary locations by manipulating the filename parameter in a multipart/form-data POST request. The vulnerability lacks proper authentication and input validation, enabling attackers to upload files with an .asp extension to a directory accessible via the web. Once uploaded, these files can be executed to run arbitrary code with the privileges of the IUSR account. This vulnerability facilitates remote code execution without authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running under the IUSR account privileges.

Reproduction

To reproduce this vulnerability, send a POST request to the uploadImage.asp endpoint with a crafted filename parameter that includes directory traversal sequences. The uploaded file should be an ASP file containing malicious code. After the file is uploaded, it can be accessed via the web to execute the embedded code.

Remediation

Users are advised to update to Kaseya KServer version 6.3.0.2 or later, where this vulnerability has been patched by removing the uploadImage.asp endpoint.