cbcvebase.
CVE-2017-6553
published 2017-04-29

CVE-2017-6553: Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
42.29%
98.5th percentile
Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory corruption in the pmmasterd daemon.

Affected

1 ranges
VendorProductVersion rangeFixed in
questprivilege_manager_for_unix<= 6.0.0-50

Detection & IOCsextracted from sources · hover to see the quote

port12345
processpmmasterd
commandACT_ALERT_EVENT
bytes
PingE4.6 .0.0.27 (request body prefix for AES-encrypted exploit trigger)
bytes
Packet header: 0x0000026c (big-endian 4 bytes) followed by 0x00000700 0x00000700 then 68 null bytes (x64 trigger)
  • Monitor for inbound connections to TCP port 12345 (pmmasterd default port) originating from privileged source ports (<=1024), as the daemon refuses connections from unprivileged ports and the exploit requires binding a privileged source port.
  • For x86 targets, the exploit sends a packet with header bytes 0x0000026c / 0x00000108 / 0x000000cc — detect this distinct header pattern on TCP/12345 as an indicator of x86-targeted exploitation.
  • Versions up to 6.0.0-50 are vulnerable; prioritize detection/patching on hosts running pmmasterd configured as a policy server for Privilege Manager for Unix or Quest Sudo Plugin.
  • ·The exploit body prefix 'PingE4' is specific to AES encryption mode (default). If the target is configured to use DES encryption instead, the prefix byte changes from E4 to E2, altering the detection signature.
  • ·The Metasploit module only reliably exploits version 6.0.0-27; versions 6.0.0-28 through 6.0.0-50 are also vulnerable but require an additional stack cookie bypass not implemented in this module.
  • ·The ROP chains embedded in the exploit are hardcoded for pmmasterd 6.0.0-27 compiled without -fPIE; they will not work against ASLR/PIE-enabled builds or other versions.
  • ·The vulnerability is only triggerable when the target host is configured as a policy server (Privilege Manager for Unix or Quest Sudo Plugin); non-policy-server deployments are not affected.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.