tags:command_injectionenterprise_appprogress original link: CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster newsletter link: exploits.club Weekly Newsletter 13
Exploits Club Summary:
Sometimes, you don’t need a complex fuzzing set-up, 6 bug chain, or stealthy deserialization tricks to pop high impact vulns. Maybe you just need to search for some calls to “system”. That’s exactly what Rhino Security Labs proved in their most recent blog post, which details a command injection in Kemp LoadMaster. After reversing the web server binary, the team realized that the Basic Auth header was just thrown into “system()”, allowing them to exploit it for a pre-auth RCE.