CVE-2017-6554
published 2017-04-14CVE-2017-6554: pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently…
PriorityP261high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
15.56%
96.4th percentile
pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently execute arbitrary code with root privileges via an ACT_NEWFILESENT action.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | privilege_manager | — | — |
| quest | privilege_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
50696e6745342e362e302e302e32372e
bytes↗
PingE4.6 .0.0.27
- →Detect TCP connections to port 12345 (pmmasterd default port) originating from privileged source ports (<=1024), as the exploit requires binding a privileged source port to communicate with the daemon. ↗
- →Look for ACT_NEWFILESENT action code (0xfa) in the first 4 bytes of TCP payloads sent to port 12345, followed by a file path such as /etc/crontab in the body. ↗
- →Detect the protocol handshake magic bytes 'PingE4' (hex: 50696e674534) at the start of the body portion of packets sent to pmmasterd on port 12345; this is the version negotiation string used by both the file-write PoC and the buffer overflow exploit. ↗
- →Monitor for unexpected modifications to /etc/crontab, especially additions of lines matching '* * * * * root <command>' which is the payload delivery mechanism used by this exploit. ↗
- →Alert on creation of /tmp/pwned as an indicator of successful exploitation of CVE-2017-6554 via the public PoC. ↗
- →The exploit packet header structure is: 4-byte big-endian action code + 4-byte big-endian len1 + 4-byte big-endian len2 + 68 null bytes (total 80-byte header). Network signatures should match this fixed 68-byte null padding at offset 12 in packets to port 12345. ↗
- →For the buffer overflow variant (CVE-2017-6553, same binary), detect oversized bodies (>1600 bytes) in ACT_ALERT_EVENT (0x26c) requests to port 12345 as a crash/exploitation check. ↗
- ·The arbitrary file write vulnerability (CVE-2017-6554) is only exploitable when pmmasterd is configured as a policy server (Privilege Manager for Unix or Quest Sudo Plugin). Hosts not configured as policy servers are not affected. ↗
- ·The PoC exploit requires the attacker to bind a privileged source port (<1024), meaning root privileges are needed on the attacking machine. This limits the attacker surface but does not mitigate the server-side vulnerability. ↗
- ·The AES encryption key used in the protocol is derived from a hardcoded byte array (some_AES_bytes) XOR'd with a DH exchange value. Changing 'E4' to 'E2' in the PingE4 handshake string may enable DES mode instead of AES, affecting decryption-based detection. ↗
- ·The Metasploit buffer overflow module (referencing CVE-2017-6553) only works against version 6.0.0-27 of pmmasterd; detection rules targeting ROP chain byte patterns should be version-scoped accordingly. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
exploitdb·2017-05-15
CVE-2017-6553 Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Quest Privilege Manager pmmasterd Buffer Overflow',
'Description' => %q{
This modules exploits a buffer overflow in the Quest Privilege Manager,
a software used to integrate Active Directory with Linux and Unix
systems. The vulnerability exists in the pmmasterd daemon, and can only
triggered when the host has been configured as a policy server (
Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow
condition exists when handling requests of type ACT_ALERT_EVENT, where
the size of a memcpy can be controlled by the attacker. This module
only works a
Exploit-DB
Quest Privilege Manager 6.0.0 - Arbitrary File Write
exploitdb·2017-04-10
CVE-2017-6554 Quest Privilege Manager 6.0.0 - Arbitrary File Write
Quest Privilege Manager 6.0.0 - Arbitrary File Write
---
#!/usr/bin/env python2
"""
# Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write
# Date: 10/Mar/2017
# Exploit Author: m0t
# Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/
# Version: 6.0.0-27, 6.0.0-50
# Tested on: ubuntu 14.04 x86_64, ubuntu 16.04 x86, ubuntu 12.04 x86
# CVE : 2017-6554
REQUIREMENTS
- Root privs are required to bind a privileged source port
- python hexdump: pip install hexdump
This PoC gains arbitrary command execution by overwriting /etc/crontab
In case of successful exploitation /etc/crontab will contain the following line
* * * * * root touch /tmp/pwned
"""
import binascii as b
import hexdump as h
import struct
import sys
import socket
from Crypto.Cipher im
No writeups or analysis indexed.
http://packetstormsecurity.com/files/142095/Quest-Privilege-Manager-6.0.0-Arbitrary-File-Write.htmlhttp://www.securityfocus.com/bid/97686https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/https://support.oneidentity.com/privilege-manager-for-unix/kb/SOL133824https://www.exploit-db.com/exploits/41861/http://packetstormsecurity.com/files/142095/Quest-Privilege-Manager-6.0.0-Arbitrary-File-Write.htmlhttp://www.securityfocus.com/bid/97686https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/https://support.oneidentity.com/privilege-manager-for-unix/kb/SOL133824https://www.exploit-db.com/exploits/41861/
2017-04-14
Published