CVE-2018-20735
published 2019-01-17CVE-2018-20735: An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of…
PriorityP352high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.49%
93.7th percentile
An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bmc | patrol_agent | <= 11.3.01 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Session init message: \x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00 followed by 0x68 null bytes, msg type 0x45, compression flag 0x02
- →Monitor TCP port 3181 for BMC Patrol Agent connections, especially authentication attempts from low-privileged or unexpected domain users, which may indicate exploitation of CVE-2018-20735. ↗
- →Detect the 'RemPsl' command execution pattern in BMC Patrol Agent traffic — specifically the R_E message block containing 'RemPsl' and 'system()' calls, which is the mechanism used to run arbitrary OS commands as SYSTEM. ↗
- →Detect BMC Patrol Agent authentication messages (ID block with HOST, USER, PASS, VER=V9.6.00, T=PEMAPI fields) on port 3181, particularly from domain users authenticating to high-value targets such as domain controllers. ↗
- →Alert on PowerShell execution spawned by the BMC Patrol Agent process (running as SYSTEM), as the Windows exploit path uses PowerShell to deliver shellcode via reflection. ↗
- →The exploit sends a zlib-compressed (deflate, level 4) payload with a 6-byte header (4-byte big-endian length, 1-byte type, 1-byte compression flag). Type 0x44 with compression flag 0x00 indicates a compressed command message; detect this pattern on port 3181. ↗
- →The vulnerability allows any domain user to authenticate to PATROL Agent and execute commands as SYSTEM. Audit PATROL Agent installations on domain controllers for any non-administrative user authentication events. ↗
- ·The vendor disputes the severity, stating that the privilege escalation can be prevented through a custom, non-default configuration. Default installations are vulnerable; hardened/custom configurations may not be. ↗
- ·The exploit module's default credentials are 'patrol'/'password'. Environments using non-default credentials are not automatically protected from the privilege escalation, only from unauthenticated access. ↗
- ·The DES password encryption uses a hardcoded static key ('k$C4}@"_'). This key is embedded in the PatrolCli application itself and applies to all default installations. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)
exploitdb·2019-03-18
CVE-2018-20735 BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)
BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule 'BMC Patrol Agent Privilege Escalation Cmd Execution',
'Description' => %q(
This module leverages the remote command execution feature provided by
the BMC Patrol Agent software. It can also be used to escalate privileges
on Windows hosts as the software runs as SYSTEM but only verfies that the password
of the provided user is correct. This also means if the software is running on a
domain controller, it can be used to escalate from a normal domain user to domain
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this e
Metasploit
BMC Patrol Agent Privilege Escalation Cmd Execution
metasploit
BMC Patrol Agent Privilege Escalation Cmd Execution
BMC Patrol Agent Privilege Escalation Cmd Execution
This module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verfies that the password of the provided user is correct. This also means if the software is running on a domain controller, it can be used to escalate from a normal domain user to domain admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses powershell to execute the payload. The powershell version tends to timeout on the first run so it may take multiple tries.
No writeups or analysis indexed.
2019-01-17
Published