Ramblings about Python, C#, security, cryptography, and more.
May 25, 2019 | SQL Injection vulnerability found in LDMS 10.0.1.168 Service Update 5 due to improper username sanitization.
A SQL injection vulnerability has been identified in the web API endpoint located at https://<coreserver>/landesk/managementsuite/core/provisioning.secure/ProvisioningSecure.asmx.
This vulnerability is present within the Provisioning.Secure.dll utilized by this API endpoint. If we decompile this DLL, the vulnerability can be clearly seen within 2 methods.
May 25, 2019 | Use of a hard-coded encryption key in LDMS 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise
Multiple cryptographic vulnerabilities have been identified in the web API endpoint at http://<coreserver>/landesk/managementsuite/core/cmp.secure. These vulnerabilities compromise the at-rest security model of all data protected by this module, and could lead to unauthorized device decryption, credential disclosure, and full managed endpoint compromise.
This API endpoint is used for encryption of such sensitive information as filevault credentials, administrative override credentials, Windows credent…
May 25, 2019 | Open directories in LDMS 10.0.1.168 Service Update 5 may lead to information disclosure and arbitrary code execution
By design, multiple directories on the LDMS core server are wide-open and globally readable via HTTP. For example, see the following web locations available on an LDMS core server:
While this is by design, it is a major architectural oversight. This design played an instrumental role in the discovery of many of these vulnerabilities, and allows for information disclosure and arbitrary code execution when paired wit…
May 25, 2019 | Improper access control and open directories in LDMS 10.0.1.168 Service Update 5 may lead to disclosure of administrator passwords
During an imaging task, the LANDesk provisioning subsystem creates a copy of each injected file in the globally readable network share \\<coreserver>\ldlogon\provisioning\config. This share is created during the LANDesk Management Core Server installation process, and the installer automatically sets the permissions such that "Everyone" can read from this directory.
Once the imaging task is finished, the file copies are usually removed. However, if an imaging task fails, the files are stored…
May 25, 2019 | A vulnerable web API endpoint in LDMS 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution
When a LANDesk managed endpoint is reporting inventory and patch level information to the core server, it leverages a web API endpoint found at https://<coreserver>/upl/async_upload.asp. This endpoint does not properly sanitize user-provided values, which allows for an attacker to both control the uploaded file extension and the uploaded file location.
As this is an ASP.NET web page, we can simply open the file in a text editor to see the vulnerable code. I opened it using Notepad++ to take a look.
May 25, 2019 | Multiple vulnerabilities of varying severity have been identified in LDMS 10.0.1.168 Service Update 5
Feb. 14, 2020 | How I tracked an obscure error through a black box and back by leveraging Ghidra
Let's start things off right. For those of you who've ended up on this page searching for a solution to this issue, I won't make you read through this entire post to find it.
To resolve this issue, simply delete your passwords.conf files from the local folder within the affected apps and reconfigure those apps.
If you want to understand what makes this issue occur, and why deleting the passwords.conf file resolves the issue, please keep reading for the full breakdown.
Aug. 28, 2022 | Why I started this project, and a glimpse at where it's heading
Today marks the scheduled release of my commodity HSM package, and I'm up late in anticipation. It's the first of the many, many (seemingly disparate) tools I've needed to design before I could build G-Net, a pet project that I've been working on for a few years now. It's a small release for sure, but I'm really excited to finally have something to show for my time and effort.
A Unique Design to Solve Several Problems
Yesterday I received some feedback that it's not immedia…
Aug. 30, 2022 | Part 2 of: The Many "Whys" of G-Net
Well, I suppose the short version is...
The slightly longer version is: no really - Bluetooth, I swear! Bluetooth is a super cool, wildly underutilized bit of technological wizardry. Stay with me here, this is a fun story -
G-Net has a handful of Design Objectives that are set in stone (see: G-Net Project Sidebar). These are deliverables that I have a high degree of confidence in implementing successfully with this design. In addition to these Design Objectives, G-Net has a han…