CVE-2017-6553
published 2017-04-29CVE-2017-6553: Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.29%
98.5th percentile
Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory corruption in the pmmasterd daemon.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | privilege_manager_for_unix | <= 6.0.0-50 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PingE4.6 .0.0.27 (request body prefix for AES-encrypted exploit trigger)
bytes↗
Packet header: 0x0000026c (big-endian 4 bytes) followed by 0x00000700 0x00000700 then 68 null bytes (x64 trigger)
- →Monitor for inbound connections to TCP port 12345 (pmmasterd default port) originating from privileged source ports (<=1024), as the daemon refuses connections from unprivileged ports and the exploit requires binding a privileged source port. ↗
- →For x86 targets, the exploit sends a packet with header bytes 0x0000026c / 0x00000108 / 0x000000cc — detect this distinct header pattern on TCP/12345 as an indicator of x86-targeted exploitation. ↗
- →Versions up to 6.0.0-50 are vulnerable; prioritize detection/patching on hosts running pmmasterd configured as a policy server for Privilege Manager for Unix or Quest Sudo Plugin. ↗
- ·The exploit body prefix 'PingE4' is specific to AES encryption mode (default). If the target is configured to use DES encryption instead, the prefix byte changes from E4 to E2, altering the detection signature. ↗
- ·The Metasploit module only reliably exploits version 6.0.0-27; versions 6.0.0-28 through 6.0.0-50 are also vulnerable but require an additional stack cookie bypass not implemented in this module. ↗
- ·The ROP chains embedded in the exploit are hardcoded for pmmasterd 6.0.0-27 compiled without -fPIE; they will not work against ASLR/PIE-enabled builds or other versions. ↗
- ·The vulnerability is only triggerable when the target host is configured as a policy server (Privilege Manager for Unix or Quest Sudo Plugin); non-policy-server deployments are not affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
exploitdb·2017-05-15
CVE-2017-6553 Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Quest Privilege Manager pmmasterd Buffer Overflow',
'Description' => %q{
This modules exploits a buffer overflow in the Quest Privilege Manager,
a software used to integrate Active Directory with Linux and Unix
systems. The vulnerability exists in the pmmasterd daemon, and can only
triggered when the host has been configured as a policy server (
Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow
condition exists when handling requests of type ACT_ALERT_EVENT, where
the size of a memcpy can be controlled by the attacker. This module
only works a
Metasploit
Quest Privilege Manager pmmasterd Buffer Overflow
metasploit
Quest Privilege Manager pmmasterd Buffer Overflow
Quest Privilege Manager pmmasterd Buffer Overflow
This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses con
No writeups or analysis indexed.
https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/https://support.oneidentity.com/privilege-manager-for-unix/kb/SOL133824https://www.exploit-db.com/exploits/42010/https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/https://support.oneidentity.com/privilege-manager-for-unix/kb/SOL133824https://www.exploit-db.com/exploits/42010/
2017-04-29
Published