Jeffrey (jeffssh) Hofmann - PreAuth RCE Chains on an MDM: KACE SMA

Jeffrey (jeffssh) Hofmann, Security Engineer at Nuro, He/Him

Presentation Title: PreAuth RCE Chains on an MDM: KACE SMA
Length of presentation: 45 minutes
Demo, Exploit

MDM solutions are, by design, a single point of failure for organizations. MDM appliances often have the ability to execute commands on most of the devices in an organization and provide an “instant win” target for attackers. KACE Systems Management Appliance is a popular MDM choice for hybrid environments. This talk will cover the technical details of 3 preauthentication RCE as root chains on KACE SMA and the research steps taken to identify the individual vulnerabilities used.

Jeffrey Hofmann is a Security Engineer at Nuro who loves to do security research both on and off the clock. He has a background in penetration testing and a passion for exploit development/reverse engineering.

Existing work on magic hashes was leveraged (specifically the md5 value 240610708 discovered by Michal Spacek)

Existing work on KACE SMA. This was not used during the research portion, but was located after discovering vulnerabilities. Two of the vulnerabilities used in one of the chains were previously reported by Core Security, and what amounts to patch bypasses for the initial issues were rediscovered independently.