Centreon 2.6.1 Command Injection Vulnerability

2015-09-26T00:00:00
ID ZSL-2015-5265
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-09-26T00:00:00

Description

Title: Centreon 2.6.1 Command Injection Vulnerability
Advisory ID: ZSL-2015-5265
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.09.2015

Summary

Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management.

Description

The POST parameter 'persistant' which serves for making a new service run in the background is not properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross-site request forgery attacks.

Vendor

Centreon - <https://www.centreon.com>

Affected Version

2.6.1 (CES 3.2)

Tested On

CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3

Vendor Status

[10.08.2015] Vulnerability discovered.
[12.08.2015] Vendor contacted.
[13.08.2015] Vendor replies asking more details.
[13.08.2015] Sent details to the vendor.
[14.08.2015] Vendor sends details to developing team.
[19.08.2015] Asked vendor for status update.
[19.08.2015] Vendor states that some issues were fixed in 2.6.2 and rest will be fixed in 2.6.3 or 2.7.
[25.08.2015] Asked vendor for status update.
[25.08.2015] Vendor will get back to us by 15th of September because of holidays.
[16.09.2015] No reply from the vendor.
[17.09.2015] Informed vendor about public release.
[17.09.2015] Vendor has released version 2.6.2 fixing the file upload issue. Remaining issues promised to be fixed in next release.
[24.09.2015] Vendor releases version 2.6.3 to fix remaining issues?
[26.09.2015] Public security advisory released.

PoC

centreon_cmdinj.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.2.html>
[2] <https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.6.3.html>
[3] <https://www.exploit-db.com/exploits/38339/>
[4] <https://packetstormsecurity.com/files/133754>
[5] <https://cxsecurity.com/issue/WLB-2015090167>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/106901>
[7] <https://secunia.com/advisories/66651/>

Changelog

[26.09.2015] - Initial release
[07.10.2015] - Added reference [3], [4], [5] and [6]
[10.11.2015] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;