exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PRTG Command Injection

PRTG Command Injection
Posted Jun 27, 2018
Authored by Josh Berry

PRTG versions prior to 18.2.39 suffer from a command execution vulnerability.

tags | exploit
advisories | CVE-2018-9276
SHA-256 | be172df4e5e049f038651f97c69949e433053a898b84ab8c3c1091021c78c536

PRTG Command Injection

Change Mirror Download
Bugtraq,

I (Josh Berry) discovered an authenticated command injection vulnerability
in the Demo PowerShell notification script provided by versions of PRTG
Network Monitor prior to 18.2.39. The PowerShell notifications demo script
on versions of the application prior to 18.2.39 do not properly sanitize
input in the Parameter field. The web application provides a security
control around running executables/scripts as part of a notification, but
the demo PowerShell script contains a command injection vulnerability. As a
proof of concept, the following value can be passed in the Parameter
field, resulting in the creation of a test account named pentest:

Test.txt;net user pentest p3nT3st! /add

This bypasses the security control in place for the application. I notified
Paessler AG, the developer of the application, and they have since patched
the issue and assigned a CVE of CVE-2018-9276. Additional details are
provided below:

# Vulnerability Title: PRTG < 18.2.39 Command Injection Vulnerability
# Google Dork: N/A, but more details at:
https://www.codewatch.org/blog/?p=453
# Date: Initial report: 2/14/2018, disclosed on 6/25/2018
# Exploit Author: Josh Berry
# Vendor Homepage: https://www.paessler.com
# Software Link: https://www.paessler.com/download/prtg-download?download=1
# Vulnerable Version Tested: 18.1.37.12158
# Patched Version: 18.2.39
# Tested on: Windows 7 and Windows Server 2012 R2
# CVE : CVE-2018-9276

Outside of patching, a workaround would be to just remove the PowerShell
demo script from the notifications directory found in the documentation:
https://www.paessler.com/manuals/prtg/notifications_settings#program.

Note that exploiting this issue requires authenticated access. The tool
installs with the default credentials of prtgadmin / prtgadmin
(https://kb.paessler.com/en/topic/433-what-s-the-login-name-and-password-for
-the-prtg-web-interface-and-enterprise-console-how-to-change), and it is
common for organizations to leave defaults in place or take time in changing
them based on my penetration testing experience.

Thanks,

Josh Berry, OSCP & GCIA Gold
Project Lead - CodeWatch

Cell 469.831.8543 | josh.berry@codewatch.org | www.codewatch.org

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close