cbcvebase.
CVE-2018-20735
published 2019-01-17

CVE-2018-20735: An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of…

PriorityP352high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.49%
93.7th percentile
An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

Affected

1 ranges
VendorProductVersion rangeFixed in
bmcpatrol_agent<= 11.3.01

Detection & IOCsextracted from sources · hover to see the quote

port3181
commandsystem("<cmd>") via RemPsl in R_E message block
otherDES encryption key: k$C4}@"_
bytes
Session init message: \x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00 followed by 0x68 null bytes, msg type 0x45, compression flag 0x02
  • Monitor TCP port 3181 for BMC Patrol Agent connections, especially authentication attempts from low-privileged or unexpected domain users, which may indicate exploitation of CVE-2018-20735.
  • Detect the 'RemPsl' command execution pattern in BMC Patrol Agent traffic — specifically the R_E message block containing 'RemPsl' and 'system()' calls, which is the mechanism used to run arbitrary OS commands as SYSTEM.
  • Detect BMC Patrol Agent authentication messages (ID block with HOST, USER, PASS, VER=V9.6.00, T=PEMAPI fields) on port 3181, particularly from domain users authenticating to high-value targets such as domain controllers.
  • Alert on PowerShell execution spawned by the BMC Patrol Agent process (running as SYSTEM), as the Windows exploit path uses PowerShell to deliver shellcode via reflection.
  • The exploit sends a zlib-compressed (deflate, level 4) payload with a 6-byte header (4-byte big-endian length, 1-byte type, 1-byte compression flag). Type 0x44 with compression flag 0x00 indicates a compressed command message; detect this pattern on port 3181.
  • The vulnerability allows any domain user to authenticate to PATROL Agent and execute commands as SYSTEM. Audit PATROL Agent installations on domain controllers for any non-administrative user authentication events.
  • ·The vendor disputes the severity, stating that the privilege escalation can be prevented through a custom, non-default configuration. Default installations are vulnerable; hardened/custom configurations may not be.
  • ·The exploit module's default credentials are 'patrol'/'password'. Environments using non-default credentials are not automatically protected from the privilege escalation, only from unauthenticated access.
  • ·The DES password encryption uses a hardcoded static key ('k$C4}@"_'). This key is embedded in the PatrolCli application itself and applies to all default installations.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.