CVE-2019-11604 Quest KACE Systems Management Appliance

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 kbot_service_notsoap.php METHOD Reflected Cross-Site Scripting

1. ADVISORY INFORMATION
=======================
Product:        Quest KACE Systems Management Appliance
Vendor URL:     www.quest.com
Type:           Cross-Site Scripting [CWE-79]
Date found:     2018-09-09
Date published: 2019-05-19
CVSSv3 Score:   4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
CVE:            CVE-2019-11604

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
Quest KACE Systems Management Appliance 9.0 and below

4. INTRODUCTION
===============
The KACE Systems Management Appliance (SMA) helps you accomplish these goals
by automating complex administrative tasks and modernizing your unified endpoint
management approach. This makes it possible for you to inventory all hardware
and software, patch mission-critical applications and OS, reduce the risk of
breach, and assure software license compliance. So you're able to reduce systems
management complexity and safeguard your vulnerable endpoints.

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The script "/service/kbot_service_notsoap.php" is vulnerable to an unauthenticated
reflected Cross-Site Scripting vulnerability when user-supplied input to the
HTTP GET parameter "METHOD" is processed by the web application. Since the
application does not properly validate and sanitize this parameter, it is
possible to place arbitrary script code onto the same page.

The following Proof-of-Concept triggers this vulnerability:
https://127.0.0.1/service/kbot_service_notsoap.php?METHOD=&lt;script>alert(document.domain)</script>

6. RISK
=======
To successfully exploit this vulnerability an unauthenticated or authenticated
user must be tricked into visiting an arbitrary website.

The vulnerability can be used to temporarily embed arbitrary script code into the
context of the appliance web interface, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on the
page or attacking the browser and its plugins. Since all session-relevant cookies
are protected by HTTPOnly, it is not possible to hijack sessions.

7. SOLUTION
===========
Update to Quest KACE Systems Management Appliance 9.1

8. REPORT TIMELINE
==================
2018-09-09: Discovery of the vulnerability
2019-02-28: Tried to notify vendor via their vulnerability report form
            but unfortunately the WAF protecting the form blocked the
            Proof-of-Concept payload
2019-02-28: Sent another notification without any payloads
2019-02-28: Vendor response
2019-03-01: Sent the exploit payload in a separate mail
2019-03-01: Vendor acknowledges the issue (tracked as K1-20409) which will
            be fixed in the 9.1 release (released on 2019/04/15)
2019-03-01: Vendor asks to delay the disclosure to make sure all customers
            had time to upgrade
2019-03-13: Requested disclosure extension granted
2019-04-30: CVE requested from MITRE
2019-04-30: MITRE assigns CVE-2019-11604
2019-05-19: Public disclosure

CVE-2019-11604 Quest KACE Systems Management Appliance <= 9.0 XSS的更多相关文章

  1. 2019年第一天——使用Visual Studio 2019 Preview创建第一个ASP.Net Core3.0的App

    一.前言: 全文翻译自:https://www.talkingdotnet.com/creating-first-asp-net-core-3-0-app-visual-studio-2019/ Vi ...

  2. CVE 2019 0708 安装重启之后 可能造成 手动IP地址丢失.

    1. 最近两天发现 更新了微软的CVE 2019-0708的补丁之后 之前设置的手动ip地址会变成 自动获取, 造成ip地址丢失.. 我昨天遇到两个, 今天同事又遇到一个.微软做补丁也不走心啊..

  3. nyoj 72-Financial Management (求和 ÷ 12.0)

    72-Financial Management 内存限制:64MB 时间限制:3000ms 特判: No 通过数:7 提交数:12 难度:1 题目描述: Larry graduated this ye ...

  4. 2019 vs 如何升级到.net core 3.0 版本

    写在前面 看到微软的官网都已经更新.NET CORE 3.0的版本了.发现自己的还是.NET CORE 2.1X 的版本. 那应该如果升级到.NET CORE 3.0 的版本呢? 思考 [1]首先,我 ...

  5. windows常用端口对应表

    端口概念 在网络技术中,端口(Port)大致有两种意思:一是物理意义上的端口,比如,ADSL Modem.集线器.交换机.路由器用于连接其他网络设备的接口,如RJ-45端口.SC端口等等.二是逻辑意义 ...

  6. port与大全portClose方法

    在网络技术,port(Port)通常,有两种含义:首先,物理意义port,例,ADSL Modem.枢纽.开关.路由器连接其他网络设备的接口,如RJ-45port.SCport等等.第二个是逻辑意义p ...

  7. port大全及port关闭方法

    在网络技术中,port(Port)大致有两种意思:一是物理意义上的port,比方,ADSL Modem.集线器.交换机.路由器用于连接其它网络设备的接口,如RJ-45port.SCport等等.二是逻 ...

  8. Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表

    Windows操作系统上各种服务使用的端口号, 以及它们使用的协议的列表 列表如下 Port Protocol Network Service System Service System Servic ...

  9. Windows 端口和所提供的服务

    一 .端口大全 端口:0 服务:Reserved 说明:通常用于分析操作系统.这一方法能够工作是因为在一些系统中“0”是无效端口,当你试图使用通常的闭合端口连接它时将产生不同的结果.一种典型的扫描,使 ...

随机推荐

  1. Flutter中的Container和Text组件的常用属性

    效果图: import 'package:flutter/material.dart'; void main() { runApp(MyApp()); } class MyApp extends St ...

  2. 使用Maven完成SSM框架整合环境构建——基于Spring4和Mybatis3

    只言片语 使用Maven来搭建一个SSM环境,其实和使用手工倒入jar的过程没有多大区别,所用的jar包都是一样的,但是区别在与不用你手动导入jar包了,而是只修改pom.xml,maven会自动根据 ...

  3. visual studio code 调试ROS的插件

    ctrl+p搜索: ext install ros https://marketplace.visualstudio.com/items?itemName=ajshort.ros 进行安装 其他可以调 ...

  4. Kafka运维大全来了!优化、监控、故障处理

    Kafka运维大全来了!优化.监控.故障处理……   Kafka概念 Kafka是分布式发布-订阅消息系统.它最初由LinkedIn公司开发,之后成为Apache项目的一部分.Kafka是一个分布式的 ...

  5. CF1281B Azamon Web Services

    思路: 贪心,找到将s至多交换一次所能得到的字典序最小的字符串,再与c比较. 实现: #include <bits/stdc++.h> using namespace std; int m ...

  6. 【GStreamer开发】GStreamer基础教程06——媒体格式和pad的Capabilities

    目标       Pad的Capabilities是一个GStreamer element的基础,因为framework大部分时间是自动处理的,所以我们几乎感觉不到它的存在.本教程比较偏向原理,介绍了 ...

  7. Mac下安装VirtualBox并在VirtualBox中安装CentOS7

    VirtualBox (百科)VirtualBox 是一款开源虚拟机软件.VirtualBox 是由德国 Innotek 公司开发,由Sun Microsystems公司Sun Microsystem ...

  8. Linux下安装redis以及常用命令

    https://blog.csdn.net/zgf19930504/article/details/51850594 安装: 1.获取redis资源 wget http://download.redi ...

  9. 捕捉AVPlayerViewController 系统原生工具栏的出现、隐藏事件

    需求前提 1. app内轻量级的视频播放功能,故不希望引入“过度开发.过度封装”的第三方控件组,使用原生的AVPlayerViewController 2. 工具栏有新增控件需求,如下载按钮 等 3. ...

  10. Linux题库练习

    转一个Linux的题库供自己学习使用(滑稽) 转自:http://www.linuxdiyf.com/view_202485.html 选择题1 在终端下输入mount -a命令的作用是:CA 强制进 ...