CVE-2019-11604 Quest KACE Systems Management Appliance

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

1. ADVISORY INFORMATION
=======================
Product:        Quest KACE Systems Management Appliance
Vendor URL:     www.quest.com
Type:           Cross-Site Scripting [CWE-79]
Date found:     2018-09-09
Date published: 2019-05-19
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            CVE-2019-11604

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Quest KACE Systems Management Appliance 9.0 and below

4. INTRODUCTION
===============
The KACE Systems Management Appliance (SMA) helps you accomplish these goals
by automating complex administrative tasks and modernizing your unified endpoint
management approach. This makes it possible for you to inventory all hardware
and software, patch mission-critical applications and OS, reduce the risk of
breach, and assure software license compliance. So you're able to reduce systems
management complexity and safeguard your vulnerable endpoints.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The script "/service/kbot_service_notsoap.php" is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "METHOD" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code onto the same page.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/service/kbot_service_notsoap.php?METHOD=&lt;script>alert(document.domain)</script>

6. RISK
=======
To successfully exploit this vulnerability an unauthenticated or authenticated
user must be tricked into visiting an arbitrary website.

The vulnerability can be used to temporarily embed arbitrary script code into the
context of the appliance web interface, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins. Since all session-relevant cookies
are protected by HTTPOnly, it is not possible to hijack sessions.

7. SOLUTION
===========
Update to Quest KACE Systems Management Appliance 9.1

8. REPORT TIMELINE
==================
2018-09-09: Discovery of the vulnerability
2019-02-28: Tried to notify vendor via their vulnerability report form
            but unfortunately the WAF protecting the form blocked the
            Proof-of-Concept payload
2019-02-28: Sent another notification without any payloads
2019-02-28: Vendor response
2019-03-01: Sent the exploit payload in a separate mail
2019-03-01: Vendor acknowledges the issue (tracked as K1-20409) which will
            be fixed in the 9.1 release (released on 2019/04/15)
2019-03-01: Vendor asks to delay the disclosure to make sure all customers
            had time to upgrade
2019-03-13: Requested disclosure extension granted
2019-04-30: CVE requested from MITRE
2019-04-30: MITRE assigns CVE-2019-11604
2019-05-19: Public disclosure

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 XSS的更多相关文章

  1. 2019年第一天——使用Visual Studio 2019 Preview创建第一个ASP.Net Core3.0的App

    一.前言: 全文翻译自:https://www.talkingdotnet.com/creating-first-asp-net-core-3-0-app-visual-studio-2019/ Vi ...

  2. CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.

    1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..

  3. nyoj 72-Financial Management (求和 ÷ 12.0)

    72-Financial Management 内存限制:64MB 时间限制:3000ms 特判: No 通过数:7 提交数:12 难度:1 题目描述: Larry graduated this ye ...

  4. 2019 vs 如何升级到.net core 3.0 版本

    写在前面 看到微软的官网都已经更新.NET CORE 3.0的版本了.发现自己的还是.NET CORE 2.1X 的版本. 那应该如果升级到.NET CORE 3.0 的版本呢? 思考 [1]首先,我 ...

  5. windows常用端口对应表

    端口概念 在网络技术中,端口(Port)大致有两种意思:一是物理意义上的端口,比如,ADSL Modem.集线器.交换机.路由器用于连接其他网络设备的接口,如RJ-45端口.SC端口等等.二是逻辑意义 ...

  6. port与大全portClose方法

    在网络技术,port(Port)通常,有两种含义:首先,物理意义port,例,ADSL Modem.枢纽.开关.路由器连接其他网络设备的接口,如RJ-45port.SCport等等.第二个是逻辑意义p ...

  7. port大全及port关闭方法

    在网络技术中,port(Port)大致有两种意思:一是物理意义上的port,比方,ADSL Modem.集线器.交换机.路由器用于连接其它网络设备的接口,如RJ-45port.SCport等等.二是逻 ...

  8. Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表

    Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表 列表如下 Port Protocol Network Service System Service System Servic ...

  9. Windows 端口和所提供的服务

    一 .端口大全 端口:0 服务:Reserved 说明:通常用于分析操作系统.这一方法能够工作是因为在一些系统中“0”是无效端口,当你试图使用通常的闭合端口连接它时将产生不同的结果.一种典型的扫描,使 ...

随机推荐

  1. shell编程系列25--shell操作数据库实战之备份MySQL数据,并通过FTP将其传输到远端主机

    shell编程系列25--shell操作数据库实战之备份MySQL数据,并通过FTP将其传输到远端主机 备份mysql中的库或者表 mysqldump 常用参数详解: -u 用户名 -p 密码 -h ...

  2. C/C++如何监测内存泄漏

    C/C++如何监测内存泄漏 C/C++内存泄漏及检测 内存溢出就是内存越界.内存越界有一种很常见的情况是调用栈溢出(即stackoverflow),虽然这种情况可以看成是栈内存不足的一种体现.例如:递 ...

  3. ROS tf-数据类型

    博客参考:https://www.ncnynl.com/archives/201702/1305.html ROS与C++入门教程-tf-数据类型 说明: 介绍roscpp的Data Types(数据 ...

  4. Flink FileSink 自定义输出路径——StreamingFileSink、BucketingSink 和 StreamingFileSink简单比较

    接上篇:Flink FileSink 自定义输出路径——BucketingSink 上篇使用BucketingSink 实现了自定义输出路径,现在来看看 StreamingFileSink( 据说是S ...

  5. DNS解析问题

    DNS解析问题,在/etc/resolv.conf文件中加如下一行: nameserver 8.8.8.8 即使用谷歌的域名服务器 如下问题都是DNS解析问题: apt-get update 异常 T ...

  6. C# .NET WINFORM MUTEX 互斥

    static class Program 里的全局变量: static System.Threading.Mutex appMutex; Main 方法里的内容: string exeName = & ...

  7. 未处理的异常:system.io.file load exception:无法加载文件或程序集“ 。。。。 找到的程序集的清单定义与程序集引用不匹配。

    问题描述: 添加控制器的时候,突然就报了这个错: Unhandled Exception: System.IO.FileLoadException: Could not load file or as ...

  8. JMC(Java Mission Control)在mac下无法启动和显示界面

    错误 `org.eclipse.swt.layout.griddata cannot be cast to org.eclipse.swt.layout.filldata` 解决 来源 注意 根据自己 ...

  9. 微服务Consul系列之服务部署、搭建、使用

    使用Consul解决了哪些问题 是否在为不同环境来维护不同项目配置而发愁 是否有因为配置的更改导致代码还要进行修改.发布因为客流量大了还要规避开高峰期等到半夜来发布 微服务架构下应用的分解业务系统与服 ...

  10. 2019年Java中高级面试题总结(8)

    116.什么时候使用访问者模式? 访问者模式用于解决在类的继承层次上增加操作,但是不直接与之关联.这种模式采用双派发的形式来增加中间层. 117.什么时候使用组合模式? 组合模式使用树结构来展示部分与 ...