Vulners
Lucene search
PRTG Command Injection
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution Exploit | 11 Mar 201900:00 | – | zdt |
| PRTG Network Monitor Remote Code Execution Exploit | 28 Jan 202100:00 | – | zdt |
 | Exploit for OS Command Injection in Paessler Prtg_Network_Monitor | 7 Apr 202621:20 | – | githubexploit |
| Exploit for OS Command Injection in Paessler Prtg_Network_Monitor | 31 Mar 201908:51 | – | githubexploit |
 | CVE-2018-9276 | 2 Jul 201800:00 | – | attackerkb |
 | CVE-2018-9276 | 27 Jan 202121:56 | – | circl |
 | Paessler PRTG Network Monitor OS Command Injection Vulnerability | 4 Feb 202500:00 | – | cisa_kev |
 | CISA Adds Four Known Exploited Vulnerabilities to Catalog | 4 Feb 202512:00 | – | cisa |
 | PRTG Command Injection Vulnerability | 27 Jun 201800:00 | – | cnvd |
 | PRTG Network Monitor Remote Code Execution (CVE-2018-9276) | 6 Feb 202100:00 | – | checkpoint_advisories |
10
`Bugtraq,
I (Josh Berry) discovered an authenticated command injection vulnerability
in the Demo PowerShell notification script provided by versions of PRTG
Network Monitor prior to 18.2.39. The PowerShell notifications demo script
on versions of the application prior to 18.2.39 do not properly sanitize
input in the Parameter field. The web application provides a security
control around running executables/scripts as part of a notification, but
the demo PowerShell script contains a command injection vulnerability. As a
proof of concept, the following value can be passed in the Parameter
field, resulting in the creation of a test account named pentest:
Test.txt;net user pentest p3nT3st! /add
This bypasses the security control in place for the application. I notified
Paessler AG, the developer of the application, and they have since patched
the issue and assigned a CVE of CVE-2018-9276. Additional details are
provided below:
# Vulnerability Title: PRTG < 18.2.39 Command Injection Vulnerability
# Google Dork: N/A, but more details at:
https://www.codewatch.org/blog/?p=453
# Date: Initial report: 2/14/2018, disclosed on 6/25/2018
# Exploit Author: Josh Berry
# Vendor Homepage: https://www.paessler.com
# Software Link: https://www.paessler.com/download/prtg-download?download=1
# Vulnerable Version Tested: 18.1.37.12158
# Patched Version: 18.2.39
# Tested on: Windows 7 and Windows Server 2012 R2
# CVE : CVE-2018-9276
Outside of patching, a workaround would be to just remove the PowerShell
demo script from the notifications directory found in the documentation:
https://www.paessler.com/manuals/prtg/notifications_settings#program.
Note that exploiting this issue requires authenticated access. The tool
installs with the default credentials of prtgadmin / prtgadmin
(https://kb.paessler.com/en/topic/433-what-s-the-login-name-and-password-for
-the-prtg-web-interface-and-enterprise-console-how-to-change), and it is
common for organizations to leave defaults in place or take time in changing
them based on my penetration testing experience.
Thanks,
Josh Berry, OSCP & GCIA Gold
Project Lead - CodeWatch
Cell 469.831.8543 | [email protected] | www.codewatch.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jun 2018 00:00Current
7High risk
Vulners AI Score7
EPSS0.87952