Pipe Dreams Turned Nightmare: Remote Code Execution via Quest KACE Desktop Authority

A critical Remote Code Execution (RCE) vulnerability has been unearthed within the enterprise solution Quest KACE Desktop Authority, a platform widely utilized for the centralized administration of Windows workstations. The software instantiates an agent service on every managed endpoint which, operating under the aegis of the SYSTEM account, executes privileged operations dictated by the central server. It is within this specific component that researchers identified a fundamentally insecure Inter-Process Communication (IPC) mechanism.

During a rigorous audit of the endpoint management software, a specialist observed a Windows named pipe designated as ScriptLogic_Server_NamedPipe_9300. The “ScriptLogic” nomenclature serves as a legacy artifact from the developer prior to its acquisition by Quest. This pipe is serviced by a process wielding maximal SYSTEM privileges yet, fatefully, permits connections from remote authenticated domain users. Such expansive access rights precipitate immediate systemic risk, as Windows named pipes are inherently reachable across the network via the Server Message Block (SMB) protocol.

The server-side infrastructure of Desktop Authority establishes the pipe at the path \\.\pipe\ScriptLogic_Server_NamedPipe_9300, while the client-side agents on workstations utilize a reciprocal pipe at \\.\pipe\ScriptLogic_Client_NamedPipe_9300. This conduit facilitates the transmission of tasks from the server to the agents. When permissions are overly permissive, any domain user possessing valid credentials can establish a connection to this sensitive channel.

The internal data exchange is predicated upon a proprietary IPC protocol layered atop Microsoft Foundation Classes (MFC) CArchive serialization. This format manifests as a binary stream characterized by length-prefixed fields and support for COM VARIANT types. Through meticulous reverse engineering, the researcher reconstructed the message topology, which includes fields for a COM ProgID (to instantiate objects), a target method name, an RpcName operation selector, execution commands, a Process ID (PID) for DLL injection, and auxiliary parameters. The RpcName value serves as the definitive arbiter of the service’s subsequent actions.

The investigation revealed that the protocol facilitates several hazardous operations:

• AdminExec: This command empowers an adversary to launch arbitrary processes with local administrative privileges. The provided Command and CommandArgument parameters are passed directly to the process creation mechanism; consequently, achieving code execution merely requires connecting to the pipe and transmitting the requisite command.

• DllInjection: This operation facilitates the insertion of a specified DLL into a chosen process. The library path can be defined using a UNC format, allowing a malicious file hosted on a remote SMB share to be loaded into the address space of any process on the target machine under the SYSTEM account.

• Credentials Disclosure: The Credentials method exposes the service account’s credentials in plaintext. The product employs a transient privilege escalation scheme where a standard domain user is momentarily added to the local Administrators group to generate an access token before being promptly removed. This method returns the unencrypted username and password of said account. The risk is magnified by the common practice of utilizing a single service account across multiple nodes, facilitating seamless lateral movement and credential recycling.

• ImpersonateAdmin and InvokeCOM: The ImpersonateAdmin function manipulates security tokens, allowing the service to bestow administrative identity upon the caller. Furthermore, InvokeCOM provides a universal gateway to instantiate and invoke methods on internal classes—such as CProcess for process control, CRegistry for registry manipulation, and CSecurityEditor for altering security descriptors—all within a highly privileged context.

Practical exploitation is alarmingly straightforward. From any domain-joined machine, one can connect to a remote host’s named pipe via SMB and transmit a meticulously crafted message. To facilitate verification, a utility dubbed SLAgentTool was developed, supporting various execution and credential retrieval commands.

This vulnerability has been officially designated as CVE-2025-67813. Quest has subsequently issued a security advisory and a knowledge base article detailing the remediation of these insecure named pipe permissions. The vendor strongly advocates for the immediate application of available patches. In scenarios where updates are not yet feasible, it is recommended to restrict inbound SMB traffic on TCP port 445 via firewall rules, isolate management infrastructure from general user segments, and deactivate the agent service where it is non-essential.