CVE-2018-11138
published 2018-05-31CVE-2018-11138: The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
91.93%
99.8th percentile
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | kace_system_management_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/krashrpt.php
othericon_hash="-463230636"
bytes
kuid=|60|
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Fingerprint vulnerable KACE appliances by checking for the presence of the 'X-KACE-Appliance' response header and 'X-KACE-Version' header value <= 8.0.318 on HTTP 302 redirects from /common/download_agent_installer.php. ↗
- →Exploitation injects OS commands via the 'orgid' GET parameter of /common/download_agent_installer.php using the pattern: <orgid>#; <command>. Monitor for this injection pattern in HTTP request logs. ↗
- →Detect exploitation attempts against /krashrpt.php via POST requests where the request body starts with 'kuid=' followed by byte 0x60 (backtick), indicating command injection (used by Mirai variant).
- →The exploit executes commands as the web server user 'www' and creates artifacts under /tmp/agentprov/<orgid>#;/ — monitor for unexpected directory creation under /tmp/agentprov/. ↗
- →The vulnerability is unauthenticated; any GET request to /common/download_agent_installer.php with an 'orgid' parameter containing shell metacharacters (#, ;) should be treated as a potential exploitation attempt. ↗
- →Use the FOFA icon hash query 'icon_hash="-463230636"' to identify internet-exposed Quest KACE appliances for asset discovery and attack surface monitoring.
- →The serial number hash (SHA256 of the appliance serial) is passed as the 'serv' parameter; the serial number can be scraped unauthenticated from /common/about.php via the pattern 'Serial Number: ([A-F0-9]+)'. ↗
- ·A valid Organization ID is required for exploitation; the default value is '1', but non-default deployments may use different IDs. ↗
- ·A valid Windows agent version number must be supplied; if Samba file sharing is enabled, versions can be enumerated from the \kace.local\client\agent_provisioning\windows_platform share. ↗
- ·The exploit runs commands as the low-privileged web server user 'www' on a FreeBSD-based platform, not as root. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8m62-73pq-x847: The '/common/download_agent_installer
ghsa_unreviewed·2022-05-13
CVE-2018-11138 [CRITICAL] CWE-78 GHSA-8m62-73pq-x847: The '/common/download_agent_installer
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
VulnCheck
Quest KACE System Management Appliance Remote Command Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-11138 [CRITICAL] CWE-78 Quest KACE System Management Appliance Remote Command Execution Vulnerability
Quest KACE System Management Appliance Remote Command Execution Vulnerability
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.
Affected: Quest KACE System Management Appliance
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-15
CISA
Quest KACE System Management Appliance Remote Command Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2018-11138 [CRITICAL] CWE-78 Quest KACE System Management Appliance Remote Command Execution Vulnerability
Vulnerability: Quest KACE System Management Appliance Remote Command Execution Vulnerability
Affected: Quest KACE System Management Appliance
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-11138
Remediation Due Date: 2022-04-15
Suricata
ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound
suricata·2019-06-11·CVSS 9.8
CVE-2018-11138 [CRITICAL] ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound
ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mit
Suricata
ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound
suricata·2019-06-11·CVSS 9.8
CVE-2018-11138 [CRITICAL] ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound
ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound
Rule: alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, m
Exploit-DB
Quest KACE Systems Management - Command Injection (Metasploit)
exploitdb·2018-06-27
CVE-2018-11138 Quest KACE Systems Management - Command Injection (Metasploit)
Quest KACE Systems Management - Command Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Quest KACE Systems Management Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Quest KACE
Systems Management Appliance version 8.0.318 (and possibly prior).
The `download_agent_installer.php` file allows unauthenticated users
to execute arbitrary commands as the web server user `www`.
A valid Organization ID is required. The default value is `1`.
A valid Windows agent version number must also be provided. If file
sharing is enabled, the agent versions are available within the
`\\kace.local\client\agent_provisi
Metasploit
Quest KACE Systems Management Command Injection
metasploit
Quest KACE Systems Management Command Injection
Quest KACE Systems Management Command Injection
This module exploits a command injection vulnerability in Quest KACE Systems Management Appliance version 8.0.318 (and possibly prior). The `download_agent_installer.php` file allows unauthenticated users to execute arbitrary commands as the web server user `www`. A valid Organization ID is required. The default value is `1`. A valid Windows agent version number must also be provided. If file sharing is enabled, the agent versions are available within the `\kace.local\client\agent_provisioning\windows_platform` Samba share. Additionally, various agent versions are listed on the KACE website. This module has been tested successfully on Quest KACE Systems Management Appliance K1000 version 8.0 (Build 8.0.318).
Nuclei
Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-11138 [CRITICAL] Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
Template:
id: CVE-2018-11138
info:
name: Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
impact: |
An attacker can execute arbitrary commands on the affected system, potentially leading to complete system compromise, data theft, or further network
No writeups or analysis indexed.
https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/44950/https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilitieshttps://www.exploit-db.com/exploits/44950/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11138
2018-05-31
Published
2022-03-25
Added to CISA KEV
Exploited in the wild