what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Xymon 4.3.x Buffer Overflow / Code Execution / Information Disclosure

Xymon 4.3.x Buffer Overflow / Code Execution / Information Disclosure
Posted Feb 15, 2016
Authored by Xymon Software

Xymon 4.3.x versions suffers from buffer overflow, information disclosure, code execution, cross site scripting, and various other vulnerabilities.

tags | exploit, overflow, vulnerability, code execution, xss, info disclosure
advisories | CVE-2016-2054, CVE-2016-2055, CVE-2016-2056, CVE-2016-2057, CVE-2016-2058
SHA-256 | e26ecbaeb5a8840288e97c4167e8412a009bb41ab790f296521530e68cf80840

Xymon 4.3.x Buffer Overflow / Code Execution / Information Disclosure

Change Mirror Download
Hi,

Multiple security issues have been found in the server component of the
Xymon monitoring system. These issues affect all versions of Xymon 4.3.x
prior to 4.3.25, as well as the obsolete 4.1.x and 4.2.x versions.

All issues have been resolved in Xymon 4.3.25, released on Feb 8 2016.
It is available at
http://sourceforge.net/projects/xymon/files/Xymon/4.3.25/xymon-4.3.25.tar.gz/download


Details
-------

CVE-2016-2054: Buffer overflow in xymond handling of "config" command.

The xymond daemon performs an unchecked copying of a user-supplied
filename to a fixed-size buffer when handling a "config" command. This
may be used to trigger a buffer overflow in xymond, possibly resulting
in remote code execution and/or denial of service of the Xymon
monitoring system. In the case of remote code execution, it will run
with the privileges of the xymon userid.

This bug may be triggered by anyone with network access to the xymond
service on port 1984, unless access has been restricted with the
"--status-senders" option (a non-default configuration).


CVE-2016-2055: Access to possibly confidential files in the Xymon
configuration directory

The xymond daemon will allow anyone with network access to the xymond
network port (1984) to download configuration files in the Xymon "etc"
directory. In a default installation, the Apache htaccess file
"xymonpasswd" controlling access to the administrator webpages is
installed in this directory and is therefore available for download. The
passwords in the file are hashed, but may then be brute-forced off-line.

This bug may be triggered by anyone with network access to the xymond
service on port 1984, unless access has been restricted with the
"--status-senders" option (a non-default configuration).

Administrators should verify this file is not readable by the xymon user
and modify ownership and permissions as needed. Additionally, the
following restrictions have been added to files requested via "config"
messages sent to xymond:
* They must be regular files as returned by stat (no symlinks)
* They must end in ".cfg"

The restriction on file names ending in ".cfg" can be overridden by
setting ALLOWALLCONFIGFILES="TRUE" in xymonserver.cfg and restarting
xymond. Note that config files are processed through normal xymon file
reading, so features such as "include" and "directory" still work when
retrieving files over the network. These included files are not subject
to the same restrictions.


CVE-2016-2056: Shell command injection in the "useradm" and "chpasswd"
web applications

The useradm and chpasswd web applications may be used to administer
passwords for user authentication in Xymon, acting as a web frontend to
the Apache "htpasswd" application. The htpasswd command is invoked via a
shell command, and it is therefore possible to inject arbitrary commands
and have them executed with the privileges of the webserver (CGI) user.

This bug can only be triggered by web users with access to the Xymon
webpages, who are already authenticated as Xymon users. However, when
combined with CVE-2016-2055 which allows for off-line cracking of
password hashes, this bug may be exploitable by others.


CVE-2016-2057: Incorrect permissions on IPC queues used by the xymond
daemon can bypass IP access filtering

An IPC message queue used by the xymon daemon is created with
world-write permissions, allowing a local user on the Xymon master
server to inject all types of messages into Xymon, bypassing any
IP-based access controls.

Exploitation of this bug requires local access to the Xymon master server.


CVE-2016-2058: Javascript injection in "detailed status webpage" of
monitoring items

A status-message sent from a Xymon client may contain any data,
including HTML, which will be included on the "detailed status" page
available via the Xymon status webinterface. A malicious user may send a
status message containing custom Javascript code, which will then be
rendered in the browser of the user viewing the status page.

Exploitation of this bug requires that you can control the contents of a
status message sent to Xymon, which is possible if you control one of
the servers monitored by Xymon, or the Xymon master server. Also, the
bug requires a user to actually view the "detailed status" webpage.

This bug has been patched in Xymon 4.3.25 by including a
"Content-Security-Policy" HTTP header in the response sent to the
browser. This means that older browsers may still be vulnerable to this
issue.


CVE-2016-2058: XSS vulnerability via malformed acknowledgment messages

(Note that this uses the same CVE id as the Javascript injection issue)

The message sent by a user to indicate acknowledgment of an alert is not
HTML-escaped before being displayed on the status webpage, which may be
used to trigger a cross-site scripting vulnerability.

Exploitation of this bug requires that the attacker is able to
acknowledge an alert status. This requires user-authenticated access to
the Xymon webpages, or that the user receives a message (usually via
e-mail) containing the authentication token for the acknowledgment.


Credit
------
We would like to thank Markus Krell for reporting these issues, and for
working with us to resolve them.


On behalf of the Xymon team,

Henrik Størner
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close