PRTG Command Injection

2018-06-27T00:00:00
ID PACKETSTORM:148334
Type packetstorm
Reporter Josh Berry
Modified 2018-06-27T00:00:00

Description

                                        
                                            `Bugtraq,  
  
I (Josh Berry) discovered an authenticated command injection vulnerability  
in the Demo PowerShell notification script provided by versions of PRTG  
Network Monitor prior to 18.2.39. The PowerShell notifications demo script  
on versions of the application prior to 18.2.39 do not properly sanitize  
input in the Parameter field. The web application provides a security  
control around running executables/scripts as part of a notification, but  
the demo PowerShell script contains a command injection vulnerability. As a  
proof of concept, the following value can be passed in the Parameter  
field, resulting in the creation of a test account named pentest:  
  
Test.txt;net user pentest p3nT3st! /add  
  
This bypasses the security control in place for the application. I notified  
Paessler AG, the developer of the application, and they have since patched  
the issue and assigned a CVE of CVE-2018-9276. Additional details are  
provided below:  
  
# Vulnerability Title: PRTG < 18.2.39 Command Injection Vulnerability  
# Google Dork: N/A, but more details at:  
https://www.codewatch.org/blog/?p=453   
# Date: Initial report: 2/14/2018, disclosed on 6/25/2018  
# Exploit Author: Josh Berry  
# Vendor Homepage: https://www.paessler.com   
# Software Link: https://www.paessler.com/download/prtg-download?download=1   
# Vulnerable Version Tested: 18.1.37.12158  
# Patched Version: 18.2.39  
# Tested on: Windows 7 and Windows Server 2012 R2  
# CVE : CVE-2018-9276  
  
Outside of patching, a workaround would be to just remove the PowerShell  
demo script from the notifications directory found in the documentation:  
https://www.paessler.com/manuals/prtg/notifications_settings#program.   
  
Note that exploiting this issue requires authenticated access. The tool  
installs with the default credentials of prtgadmin / prtgadmin  
(https://kb.paessler.com/en/topic/433-what-s-the-login-name-and-password-for  
-the-prtg-web-interface-and-enterprise-console-how-to-change), and it is  
common for organizations to leave defaults in place or take time in changing  
them based on my penetration testing experience.   
  
Thanks,  
  
Josh Berry, OSCP & GCIA Gold  
Project Lead - CodeWatch  
  
Cell 469.831.8543 | josh.berry@codewatch.org | www.codewatch.org  
  
`