Title: ====== Dell Kace 1000 SMA 5.4.742 - SQL Injection Vulnerabilities Date: ===== 2013-07-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=832 VL-ID: ===== 832 Common Vulnerability Scoring System: ==================================== 7.5 Introduction: ============= Dell KACE is to provide an appliance-based approach to systems management, to create time for systems administration professionals, while saving money for their companies. Dell KACE Systems Management Appliances are available as both physical and virtual appliances. The KACE Management Appliance delivers a fully integrated systems management solution, unlike traditional software approaches that can require complex and time-consuming deployment and maintenance. KACE accomplishes this via an extremely flexible, intelligent appliance-based architecture that typically deploys in days and is self maintaining. The KACE Management Appliance also provides direct access to time-saving ITNinja systems management community information using AppDeploy Live, the leading destination for end point administrators. The result: Comprehensive systems management that is easy-to-use and that can be more economical than software only alternatives. Read more in the white paper KACE K1000 Management Appliance Architecture: Harnessing the Power of an Appliance-based Architecture. The KACE Management Appliance is designed for enterprises and business units with up to 20,000 nodes. (Copy of the Vendor Homepage: http://www.kace.com/products/systems-management-appliance ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerabilities in Dell Kace K1000, Systems Management Appliance. Report-Timeline: ================ 2013-01-24: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed) 2013-02-06: Vendor Notification (Dell Security Team) 2013-02-08: Vendor Response/Feedback (Dell Security Team) 2013-**-**: Vendor Fix/Patch (Dell Security Team) 2013-07-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== DELL Product: Kace K1000 SMA 5.4.70402 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== Multiple SQL Injection vulnerabilities are detected in the Dell Kace K1000, Systems Management Appliance Application. A SQL Injection vulnerability allows an attacker (remote) to execute/inject SQL commands in the affected application dbms. The sql injection vulnerabilities are located in the history_log.php, service.php, software.php, settings_network_scan.php, asset.php, asset_type.php, metering.php and mi.php files. All files are located in the adminui. A remote attacker is able to inject own sql commands when processing to request the vulnerable TYPE_ID and ID parameters. Exploitation of the sql injection vulnerabilities requires no or a low privilege application user account and no user interaction. Successful exploitation of the vulnerability results in database management system & application compromise via remote sql injection attack. Vulnerable Module(s): [+] adminui Vulnerable File(s): [+] history_log.php [+] service.php [+] software.php [+] settings_network_scan.php [+] asset.php [+] asset_type.php [+] metering.php [+] mi.php [+] replshare.php [+] kbot.php Vulnerable Parameter(s): [+] TYPE_ID [+] ID Proof of Concept: ================= The SQL injection vulnerabilities can be exploited by remote attackers without privileged application user account and without required user interaction. For demonstration or reproduce ... 1.1 PoC: https://pub37.,2,3,4,5,6,version%28%29,8,9,10,11,12--%20- 1.2 PoC: https://pub37.,2,3,4,5,version(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--%20- 1.3 https://pub37.[SQL-INJECTION!]-- Exploit: Dell Kace 1000 SMA v5.4.70402 - SQL Injection Exploit