7 Replies Latest reply on May 27, 2016 3:52 AM by phoffmann

    LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?

    turboduck Rookie

      Hello.

      We use LDMS 9.6 SP2 and have a problem with its integration through MBSDK with another service.

      There is an account in the LDMS, which has the rights to a specific group of devices for the installation of the software distribution. Service creates a job to add the device.

      The problem with working out the task "AddDevicheToSheduledTask" from MBSDK.

       

      Specify Task ID in the field, Name of device for device name field.

      After that, IIS on the LDMS server falls. (repeat 5 times and  appool in IIS stopped).

       

      If instead of the drive number (eg 24), the machine ID (name but not!) 24 is added to the job.

      Once added to the device by ID, we can again try to drive in the name. Then repeat again - iis falls.

       

      And very scary moment: Despite the fact that the user has rights to a certain group of machines through MBSDK he can specify any device ID to add it to the job. Those. for example, if you specify 1, we thereby add to the job core server. I think it's a security issue.

      What can be done?

       

      Our System:

      LDMS 9.6 SP2, Windows Server 2012R2.

      Log #1:

      Faulting application name: w3wp.exe, version: 8.5.9600.16384, time stamp: 0x5215df96

      Faulting module name: KERNELBASE.dll, version: 6.3.9600.18202, time stamp: 0x569e7eb1

      Exception code: 0xe0434352

      Fault offset: 0x0000000000008a5c

      Faulting process id: 0x6618

      Faulting application start time: 0x01d193eb6c661994

      Faulting application path: c:\windows\system32\inetsrv\w3wp.exe

      Faulting module path: C:\Windows\system32\KERNELBASE.dll

      Report Id: 4162be28-fff2-11e5-80c7-005056b73c84

      Faulting package full name:

       

      Screenshots are in attach.

       

      Thanks!

       

      p.s. In 9.5 SP2  IIS working perfect after add device to task.

        • 1. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
          phoffmann SupportEmployee

          Hi there,

           

          I can't say I've seen this myself, and I do reasonably frequently run into / work with MBSDK calls.

           

          The MBSDK calls automatically make use of scopes and RBA rights/limitations of the user that you're authenticating to the MBSDK with - so from that side, it absolutely shouldn't be possible to add a device that's out of scope.

           

          (For me, since I usually deal with "new device JUST added to inventory - go kick off a task / provisioning / whatever on it" I tend to give my process users the "All devices" scope for that reason, so I don't need to re-resolve scopes, but limit to them to "just the minimum of what they need" from a rights perspective).

           

          If the steps you take can be duplicated on another system (so - your own dev / test environment) - then that'd be definitely a bug which should be reported through to support. Once we've got things duplicated in-house, we can also check whether any of the MBSDK updates we've been working on may potentially already address the issue.

           

          The point on "sanity checking" against another system is to make sure that you're not tripping over something environmental (stuff like "mapped drives" screws up NT-authentication something fierce, for instance) - I'll check what you're reporting here, but suggest you cross-check against a 2nd environment of your own. It's possible the problem is localised to "that one core" - in which case you'll want to examine what's possibly going on with the NT-authentication stuff (as hinted above, items of "convenience" such as mapped drives can mess things up for you as a common example).

           

          Those MBSDK updates & fixes should become available in a / the April BASE component patch, when they'll get built / finalised - but we might be able to test against early / alpha builds to check up on this specific issue.

           

          [I admit to being particularly surprised that you're having specifically problems / issues with the "AddDeviceToScheduledTask" call, as that's one of my go-to places ... I've not tried using IDN-s through it ...] ... device names (i.e. "BOBSPC") work fine for me. I'll try using an IDN and then specifically an "out of scope" IDN for my user ...

           

          =====================

           

          OK - I think I've figured out what's causing this. I can enter a defect, but you'll still need to open a case with LD support, (referencing that defect) so that you can get yourself "subscribed" to that defect, and - respectively - get notified when a patch will be available, and such. I'll just make the road "getting there" a little smoother.

           

          Gimme a few minutes ...

          • 2. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
            phoffmann SupportEmployee

            OK - so a few small updates.

             

            • Turns out what I thought was causing the issue - doesn't ... which is annoying, as it needs additional root causing, but at least I've got this duplicated & the defect is filed.
            • For your reference, the defect reference is "308035".

             

            So - please open up a call with your regional LD support, and get them to add you to the defect I've filed. Shouldn't be a lot to it, as I've done most of the necessary trailblazing as it were. Support will then keep you posted about when we'll have a patch for this, and all the usual stuff.

             

            Thanks for letting us know.

             

            Hope this helps.

            - Paul Hoffmann

             

            [EDIT:]

            Haven't seen / can't duplicate your other IIS related problems. You may want to "cross check" against a dev/test system of yours - could be anything from "environmental GPO's causing you grief" to file mismatches, new/different .NET versions or so. Once you have a "healthy" setup within easy reach to compare your Core against, that should help narrowing down the IIS stuff you're seeing.

            • 3. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
              turboduck Rookie

              Hi!

              Thanks for the answer.

              With IIS problem I can not solve. Framevork original (the one that came with the OS). How do I know that it can cause a problem with the fall of IIS?

              Yes, I want to add: using IIS MBSDK when adding machines to the job if the specified machine ID, not name - that IIS does not break.

               

              And there is no problem if I add machines by name in the job from my account . If the add-on special (it has the right to Deploy) - IIS then falls.

              • 4. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
                turboduck Rookie

                Updated.

                In the role for the account rights are not indicated for certain groups of devices (SCOPES) and put ALL DEVICES, and the problem was gone. It remains to understand why falls IIS, if not right on ALL DEVICES, and on certain scopes.

                • 5. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
                  phoffmann SupportEmployee

                  Can't duplicate the problem around adding a device to a software task - even with a user who has a limited scope.

                   

                  I'm more than a bit surprised that in your environment the change from "all devices" to "some limited scope" causes the whole of IIS to come crashing down. I could just about follow the app-pool running into issues, but to take IIS down is pretty unusual.

                   

                  Anyway - I can't duplicate it - so I suggest you cross-check against a reference / dev environment on your side & see if the behaviour duplicates there. Could be some weird domain rule going on (it's a blind guess, but I've seen GPO's cause the weirdest things over the years) for instance. If - on the other hand - it works on the separate system, then you've got something locally available to compare against.

                  • 6. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
                    turboduck Rookie

                    Excuse me. Clarify - falls pool "LDAppWeb".

                    ldapp.png

                    • 7. Re: LDMS 9.6 SP2, MBSDK service  hang up IIS and potencial security bug?
                      phoffmann SupportEmployee

                      Yeah - that part makes perfect sense from a logical perspective, based on what you've been describing. Here - look at what that application pool hosts (right-click on the application pool) .

                       

                      AppPool-1.jpg

                      And as a result you get:something like this

                      AppPool-2.jpg

                       

                      ... since your Core has some odd problem with the MBSDK (as I said, I've checked multiple Cores & none of them bring IIS crashing down), it's why I suggested to you to test against a clean / separate Core for yourself. I don't / can't get that IIS application pool crashing problem to occur - which is why I am have said that there might be something iffy with your core & suggested you do a sanity check on a separate system.

                       

                      You could get more information by troubleshooting some of the IIS side of things perhaps - www-services running into various HTTP error codes is fine - but taking down an application pool (IIS's approach to "containerisation" essentially) is not simple feat these days (and not something I've seen us do in years).