Full Report
Microsoft Configuration Manager (MCM) is a systems management software by Microsoft. It manages computers with remote control, patch management, etc. If you find a bug, it's a really bad day for the administrators that use it! The requests to this server are made over HTTP. While reverse engineering LocationMgr.dll, they found that some of the provided input was not being properly sanitized. In what way? In a SQL query! The content is XML that is zipped. The input used for exploitation is a user GUID. The author wrote a nice Python script to make exploitation easy with a simple web request. Using SQL injection, it's possible to create a new user account and set their role on the database. Deployment information can now be changed to execute arbitrary commands on all linked systems and bash commands via SQL on the server itself. They found one more very similar SQL injection vulnerability as well. Somewhere and some way, it's required to put in effort. Sometimes, it's a crazy vulnerability. Other times, it's reverse engineering. You gotta put the work in or the bug you're looking for has already been found.
Analysis Summary
# Vulnerability: Unauthenticated SQL Injection in Microsoft Configuration Manager (ConfigMgr)
## CVE Details
- CVE ID: CVE-2024-43468
- CVSS Score: Critical (Specific score not provided, but described as leading to RCE/sysadmin takeover, implying a very high score)
- CWE: Injection (Specific CWE not provided, but clearly SQL Injection)
## Affected Systems
- Products: Microsoft Configuration Manager (ConfigMgr/MCM/SCCM)
- Versions: 2403, 2309, and 2303
- Configurations: Any system running the affected versions hosting the Management Point (MP) service, as the attack occurs over HTTP requests to the `/ccm_system/request` endpoint.
## Vulnerability Description
Two distinct unauthenticated SQL Injection vulnerabilities were discovered within the `LocationMgr.dll` library, which handles client messages sent to the Management Point (MP) service over HTTP. Specifically, the functions `CHandleLocationRequest::getMachineID` and `CHandleLocationRequest::getContentID` fail to properly sanitize user-controlled input (User GUID/MachineID and ContentID, respectively) before using it to construct and execute SQL queries against the site database. Because the SMS service account executing these procedures holds the `sysadmin` role on the database, an attacker can execute arbitrary SQL queries with maximum privileges. This allows for user creation, role modification, and enabling of procedures like `xp_cmdshell` to achieve Remote Code Execution (RCE) on the server hosting the site database. The input payload is delivered via XML encapsulated within a Zlib-compressed/Unicode-encoded message body.
## Exploitation
- Status: PoC available
- Complexity: Low (Unauthenticated, simple web request script provided)
- Attack Vector: Network
## Impact
- Confidentiality: High (Access to all site data possible via SQL execution)
- Integrity: High (Ability to change configurations, create privileged users, and execute arbitrary commands)
- Availability: High (Ability to disrupt services or execute commands leading to system downtime)
## Remediation
### Patches
- Microsoft released a fix (KB29166583) after an initial hotfix was revoked and republished. Contact Microsoft documentation for the latest integrated update for affected versions (2403, 2309, 2303).
### Workarounds
- No specific workarounds were detailed in the summary, but generally restricting access to the MP endpoints or ensuring clients are correctly configured/trusted would be a starting point until patching is complete.
## Detection
- **Indicators of Compromise (IoCs):** Look for unusual database logins created (e.g., `poc_sqli_machineid`), execution of high-privilege SQL commands, or the enabling of `xp_cmdshell`.
- **Detection Methods and Tools:** Intrusion Detection Systems (IDS) or Web Application Firewalls (WAFs) should be configured to inspect payloads directed at the `/ccm_system/request` endpoint for known SQL injection patterns, especially suspicious content within the Zlib-compressed XML body. Database query monitoring should look for the mentioned stored procedures being called with unexpected or dynamic input.
## References
- Vendor Advisory: Microsoft Update Guide for CVE-2024-43468
- PoC Code Location: hXXps://github.com/synacktiv/CVE-2024-43468
- Advisory Source: hXXps://www.synacktiv.com/en/advisories/microsoft-configuration-manager-configmgr-2403-unauthenticated-sql-injections