cbcvebase.
CVE-2017-6554
published 2017-04-14

CVE-2017-6554: pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently…

PriorityP261high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
15.56%
96.4th percentile
pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently execute arbitrary code with root privileges via an ACT_NEWFILESENT action.

Affected

2 ranges
VendorProductVersion rangeFixed in
questprivilege_manager
questprivilege_manager

Detection & IOCsextracted from sources · hover to see the quote

port12345
port12345
commandACT_NEWFILESENT (0xfa)
command* * * * * root touch /tmp/pwned
path/etc/crontab
processpmmasterd
bytes
50696e6745342e362e302e302e32372e
bytes
PingE4.6 .0.0.27
  • Detect TCP connections to port 12345 (pmmasterd default port) originating from privileged source ports (<=1024), as the exploit requires binding a privileged source port to communicate with the daemon.
  • Look for ACT_NEWFILESENT action code (0xfa) in the first 4 bytes of TCP payloads sent to port 12345, followed by a file path such as /etc/crontab in the body.
  • Detect the protocol handshake magic bytes 'PingE4' (hex: 50696e674534) at the start of the body portion of packets sent to pmmasterd on port 12345; this is the version negotiation string used by both the file-write PoC and the buffer overflow exploit.
  • Monitor for unexpected modifications to /etc/crontab, especially additions of lines matching '* * * * * root <command>' which is the payload delivery mechanism used by this exploit.
  • Alert on creation of /tmp/pwned as an indicator of successful exploitation of CVE-2017-6554 via the public PoC.
  • The exploit packet header structure is: 4-byte big-endian action code + 4-byte big-endian len1 + 4-byte big-endian len2 + 68 null bytes (total 80-byte header). Network signatures should match this fixed 68-byte null padding at offset 12 in packets to port 12345.
  • For the buffer overflow variant (CVE-2017-6553, same binary), detect oversized bodies (>1600 bytes) in ACT_ALERT_EVENT (0x26c) requests to port 12345 as a crash/exploitation check.
  • ·The arbitrary file write vulnerability (CVE-2017-6554) is only exploitable when pmmasterd is configured as a policy server (Privilege Manager for Unix or Quest Sudo Plugin). Hosts not configured as policy servers are not affected.
  • ·The PoC exploit requires the attacker to bind a privileged source port (<1024), meaning root privileges are needed on the attacking machine. This limits the attacker surface but does not mitigate the server-side vulnerability.
  • ·The AES encryption key used in the protocol is derived from a hardcoded byte array (some_AES_bytes) XOR'd with a DH exchange value. Changing 'E4' to 'E2' in the PingE4 handshake string may enable DES mode instead of AES, affecting decryption-based detection.
  • ·The Metasploit buffer overflow module (referencing CVE-2017-6553) only works against version 6.0.0-27 of pmmasterd; detection rules targeting ROP chain byte patterns should be version-scoped accordingly.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.