Vulnerabilities > CVE-2019-10068 - Deserialization of Untrusted Data vulnerability in Kentico

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
kentico
CWE-502
metasploit

Summary

An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.

Vulnerable Configurations

Part Description Count
Application
Kentico
489

Common Weakness Enumeration (CWE)

Metasploit

descriptionThis module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier. Remote Command Execution is possible via unauthenticated XML requests to the Staging Service SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML input is passed to an insecure .NET deserialize call which allows for remote command execution.
idMSF:EXPLOIT/WINDOWS/HTTP/KENTICO_STAGING_SYNCSERVER
last seen2020-06-14
modified2020-05-04
published2020-03-22
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/kentico_staging_syncserver.rb
titleKentico CMS Staging SyncServer Unserialize Remote Command Execution

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157588/kentico_staging_syncserver.rb.txt
idPACKETSTORM:157588
last seen2020-05-09
published2020-05-06
reporteraushack
sourcehttps://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
titleKentico CMS 12.0.14 Remote Command Execution