Jeff's Blog

Ramblings about Python, C#, security, cryptography, and more.

[CVE-2019-12374] LANDesk Management Server - SQL Injection

May 25, 2019 | SQL Injection vulnerability found in LDMS 10.0.1.168 Service Update 5 due to improper username sanitization.

A SQL injection vulnerability has been identified in the web API endpoint located at https://<coreserver>/landesk/managementsuite/core/provisioning.secure/ProvisioningSecure.asmx.

This vulnerability is present within the Provisioning.Secure.dll utilized by this API endpoint. If we decompile this DLL, the vulnerability can be clearly seen within 2 methods.

Provisioning.Secure.ProvUserValidator.UsernameExists(string strUserName)
Provisioning.Secure.ProvUserValidator.UsernameExists.png
Provisioning.Secure.ProvUserValidator.GetUserIdn(string strUserName)
Provisioning.Secure.ProvuserValidator.GetUserIdn.png

This…

Read More

[CVE-2019-12376] LANDesk Management Server - Hard-coded Encryption Key

May 25, 2019 | Use of a hard-coded encryption key in LDMS 10.0.1.168 Service Update 5 may lead to full managed endpoint compromise

Multiple cryptographic vulnerabilities have been identified in the web API endpoint at http://<coreserver>/landesk/managementsuite/core/cmp.secure. These vulnerabilities compromise the at-rest security model of all data protected by this module, and could lead to unauthorized device decryption, credential disclosure, and full managed endpoint compromise.

This API endpoint is used for encryption of such sensitive information as filevault credentials, administrative override credentials, Windows credent…

Read More

[CVE-2019-12375] LANDesk Management Server - Open Directories

May 25, 2019 | Open directories in LDMS 10.0.1.168 Service Update 5 may lead to information disclosure and arbitrary code execution

By design, multiple directories on the LDMS core server are wide-open and globally readable via HTTP. For example, see the following web locations available on an LDMS core server:

  • https://<coreserver>/ldlogon
  • https://<coreserver>/upl
  • https://<coreserver/landesk

While this is by design, it is a major architectural oversight. This design played an instrumental role in the discovery of many of these vulnerabilities, and allows for information disclosure and arbitrary code execution when paired wit…

Read More

[CVE-2019-12373] LANDesk Management Server - Administrator Password Disclosure

May 25, 2019 | Improper access control and open directories in LDMS 10.0.1.168 Service Update 5 may lead to disclosure of administrator passwords

During an imaging task, the LANDesk provisioning subsystem creates a copy of each injected file in the globally readable network share \\<coreserver>\ldlogon\provisioning\config. This share is created during the LANDesk Management Core Server installation process, and the installer automatically sets the permissions such that "Everyone" can read from this directory.

Once the imaging task is finished, the file copies are usually removed. However, if an imaging task fails, the files are stored…

Read More

[CVE-2019-12377] LANDesk Management Server - Arbitrary File Upload

May 25, 2019 | A vulnerable web API endpoint in LDMS 10.0.1.168 Service Update 5 allows arbitrary file upload, which may lead to arbitrary remote code execution

When a LANDesk managed endpoint is reporting inventory and patch level information to the core server, it leverages a web API endpoint found at https://<coreserver>/upl/async_upload.asp. This endpoint does not properly sanitize user-provided values, which allows for an attacker to both control the uploaded file extension and the uploaded file location.

As this is an ASP.NET web page, we can simply open the file in a text editor to see the vulnerable code. I opened it using Notepad++ to take a look.

The…

Read More

LANDesk Management Server - Multiple Vulnerabilities

May 25, 2019 | Multiple vulnerabilities of varying severity have been identified in LDMS 10.0.1.168 Service Update 5

<p>The vendor has been notified of these vulnerabilities. This version is no longer being actively developed (end of life 12/31/2018), so these vulnerabilities will not be patched. However, fixes will be released for supported versions where applicable. These vulnerabilities affect the following LDMS modules:</p><p></p><ul><li>Managed endpoint security settings</li><li>Provisioning</li><li>Endpoint encryption / Mac file vault / Device Adminsitration</li><li>Device Inventory / Vulnerability Management</li></ul><p></p><p>These vulnerabilities range in severity from inconseque…</p>

Read More

DIY Hacking Toolkit: What is a Shell?

May 29, 2019 | There's no sense in re-inventing the wheel. By analyzing the work of the brilliant minds who came before, we can expand on their efforts to build something that meets our requirements.

Why?

Not everyone who calls themselves a hacker understands how the tools they use actually work. Even less of those folks are capable of building their own functional toolkit. This is a recipe for failure. While it's possible to get pretty far using other people's tools, using only tools made by other people ensures you'll never be as good as someone who can build their own. How much more so if you don't take the time to actually understand how those tools really work.

In the interest of…

Read More

DIY Hacking Toolkit: Dissecting a TCP Bind Shell

May 30, 2019 | Before you go ahead and build your own shell, let's walk through one I've already written. That way you can avoid the same pitfalls I had to contend with.

I have a really bad habit of making an entirely new toolkit any time I need a single tool. A while back, I needed a shell for a pentest I was working on, and I went ahead and followed my usual pattern. I threw out everything I'd ever written and started with a fresh approach to the problem. Ended up building a new shell and a bunch of pivot utilities custom designed for the particular target I was attacking. It turned out pretty well, although it still has some drawbacks. We'll be analyzing …

Read More