placeholder

How the Kaseya VSA Zero Day Exploit Worked - TRUESEC Blog

This article explains the pre-auth remote code execution exploit against Kaseya VSA that was used in the recent REvil ransomware attack.

Click to view the original at blog.truesec.com

Hasnain says:

I don’t even know where to begin with this.

“The last two statements is where the interesting thing happens. In case the password equals row[password] the login will fail. However, in the case that all checks failed, it would default to an else clause that sets “loginOK” to true.

Because no password was provided in the request, the “password” variable would be NULL and loginOK would end up being true. When loginOK is set to true, the application sends the login session cookie and will eventually (if no other parameters are provided like in the attacker’s request) end up in an if clause that returns 302 redirect to the userPortal.”

Posted on 2021-07-15T04:54:44+0000