Dell KACE K1000 Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

A vulnerability allowing unrestricted file upload has been identified in the Dell KACE K1000 System Management Appliance. This issue affects versions 5.0 through 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547. The vulnerability exists in the download_agent.php endpoint, where an attacker can upload arbitrary PHP files to a temporary web-accessible directory. These files can later be executed by including them in backend code that loads files from paths controlled by the attacker.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which can be leveraged to execute malicious PHP scripts on the server. The uploaded files are executed with the privileges of the 'www' user, but can be escalated to root using a built-in KACE K1000 functionality.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'service/kbot_upload.php' endpoint. The request must include a 'filename' parameter set to a PHP file name, a 'machineId' parameter that traverses directories to reach a writable location, and a 'checksum' parameter set to 'SCRAMBLE' to bypass authentication. Once the file is uploaded, it can be executed by accessing it through the 'service/tmp/' directory.

Remediation

Users are advised to update to KACE K1000 versions 5.5.90547 or later.