The module mentioned in the news article is a Metasploit exploit module that targets a vulnerability in the Progress Kemp LoadMaster device. The vulnerability allows for a local sudo privilege escalation, which can be exploited to execute arbitrary commands with elevated privileges.
The module takes advantage of a feature in the sudo command on the LoadMaster device, where certain binary files are allowed to automatically elevate when invoked through sudo. This elevation is based on the file name, and some of these files are not protected from being overwritten by the default ‘bal’ user. By overwriting a specific binary file, such as the /bin/loadkeys file, with a malicious executable, an attacker can gain elevated privileges on the system.
The module was created by Dave Yesland with Rhino Security Labs and bwatters-r7. It is designed to overwrite the target binary file with a payload that grants the attacker the necessary privileges to carry out malicious activities on the compromised system. The module is classified as having an Excellent Ranking in terms of its effectiveness and impact.
The exploit module includes a check function that looks for specific indicators on the target system to determine if it is a Kemp product vulnerable to this exploit. If the indicators are found, the module proceeds with the exploit, otherwise, it returns a safe status.
The module provides two main functions for executing the exploit: execute_dropper and execute_command. The execute_dropper function is used to write a payload to a temporary file, move it to the target binary file, and then execute the target binary with elevated privileges using sudo. On the other hand, the execute_command function is used to execute a specified command with elevated privileges by copying /bin/bash to the target binary file and then running the command through sudo.
During the exploit process, the module ensures that the target binary file is successfully overwritten with the payload and that the original contents are restored after the exploit is completed. This is done to cover any tracks and avoid detection by the target system’s security mechanisms.
In conclusion, the Metasploit exploit module for the Kemp LoadMaster local sudo privilege escalation vulnerability provides attackers with a powerful tool to escalate their privileges on compromised systems. It is essential for users of Kemp LoadMaster devices to apply security patches and updates to prevent such exploits from being successful and to maintain the security of their systems.