cbcvebase.
CVE-2018-11138
published 2018-05-31

CVE-2018-11138: The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
91.93%
99.8th percentile
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
questkace_system_management_appliance

Detection & IOCsextracted from sources · hover to see the quote

path/common/download_agent_installer.php
path/krashrpt.php
path/tmp/agentprov/<ORGANIZATION>#;/
commandorgid=<ORGANIZATION>#; <payload>
otherX-KACE-Appliance
otherX-KACE-Version
othericon_hash="-463230636"
path\kace.local\client\agent_provisioning\windows_platform
bytes
kuid=|60|
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; startswith; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:5; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Fingerprint vulnerable KACE appliances by checking for the presence of the 'X-KACE-Appliance' response header and 'X-KACE-Version' header value <= 8.0.318 on HTTP 302 redirects from /common/download_agent_installer.php.
  • Exploitation injects OS commands via the 'orgid' GET parameter of /common/download_agent_installer.php using the pattern: <orgid>#; <command>. Monitor for this injection pattern in HTTP request logs.
  • Detect exploitation attempts against /krashrpt.php via POST requests where the request body starts with 'kuid=' followed by byte 0x60 (backtick), indicating command injection (used by Mirai variant).
  • The exploit executes commands as the web server user 'www' and creates artifacts under /tmp/agentprov/<orgid>#;/ — monitor for unexpected directory creation under /tmp/agentprov/.
  • The vulnerability is unauthenticated; any GET request to /common/download_agent_installer.php with an 'orgid' parameter containing shell metacharacters (#, ;) should be treated as a potential exploitation attempt.
  • Use the FOFA icon hash query 'icon_hash="-463230636"' to identify internet-exposed Quest KACE appliances for asset discovery and attack surface monitoring.
  • The serial number hash (SHA256 of the appliance serial) is passed as the 'serv' parameter; the serial number can be scraped unauthenticated from /common/about.php via the pattern 'Serial Number: ([A-F0-9]+)'.
  • ·A valid Organization ID is required for exploitation; the default value is '1', but non-default deployments may use different IDs.
  • ·A valid Windows agent version number must be supplied; if Samba file sharing is enabled, versions can be enumerated from the \kace.local\client\agent_provisioning\windows_platform share.
  • ·The exploit runs commands as the low-privileged web server user 'www' on a FreeBSD-based platform, not as root.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.