exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation
Posted Mar 14, 2024
Authored by Michael Baer | Site sec-consult.com

Checkmk Agent versions 2.0.0, 2.1.0, and 2.2.0 suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2024-06070
SHA-256 | 7507da836273d2bbc7b9ad937d83b3421ee4908160760a5f62fe62fa67b910e0

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20240307-0 >
=======================================================================
title: Local Privilege Escalation via writable files
product: Checkmk Agent
vulnerable version: 2.0.0, 2.1.0, 2.2.0
fixed version: 2.1.0p40, 2.2.0p23, 2.3.0b1, 2.4.0b1
CVE number: CVE-2024-0670
impact: high
homepage: https://checkmk.com
found: 2023-12-01
by: Michael Baer (Office F├╝rth)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Eviden business
Europe | Asia

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Checkmk 2.2 has arrived – and is ready to monitor your hybrid IT
infrastructure with new features for monitoring native cloud applications,
OpenShift support, an expanded REST API, UX improvements, enhanced
integrations and over 174 new or reworked checks and agents. Monitor your
cloud assets from top hyperscalers with Checkmk 2.2 in addition to the
powerful monitoring of your on-premises networks and servers."

Source: https://checkmk.com/product/latest-version


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Local Privilege Escalation via writable files (CVE-2024-0670)
In some cases, the software creates temporary files inside the directory
C:\Windows\Temp that get executed afterwards. An attacker can leverage this
to place write-protected malicious files in the directory beforehand. The files
get executed by Checkmk with SYSTEM privileges allowing attackers to escalate
their privileges.


Proof of concept:
-----------------
1) Local Privilege Escalation via writable files (CVE-2024-0670)
In the first step, the filename that will be used by Checkmk needs to be found.
The application creates temporary files with name cmk_{}_{}_{}.cmd. The
placeholders are replaced with a string, the process id and a counter. The first
string was always 'all' and the counter usually is 0. The process id is not
exactly predictable. However, Windows assigns those numbers in increasing order.
This allows to observe the currently used process ids and define a limited
range of probable ids.

In the second step, the attacker places the malicious binary into the folder
C:\Windows\Temp multiple times. The filenames are constructed using the above
pattern for all different probable ids. After placing the files, the attacker
marks them as read-only. Both can be automated using the following powershell
command. Here, the range of probable ids was determined to be between 10000
and 30000. The file C:\Users\attacker\Desktop\mal.exe is the malicious file.

10000..30000 | foreach {
copy C:\Users\attacker\Desktop\mal.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;
Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;
}

For this proof of concept, a binary was created using msfvenom that executes
the command whoami and writes the result to a file. This will allow to verify
the successful execution as the SYSTEM user. The following command was used:

msfvenom -p windows/exec CMD='cmd /c "whoami > C:\abc\file"' -f exe -o mal.exe

It should be noted, that the folder C:\abc has to exist and that the anti-virus
solution must be disabled to execute this particular binary.

The final step is to force Checkmk to write and execute those temporary files.

It was observed that repairing the software is enough. This repair process can
be initiated via the Windows GUI or using the following command. The name
fafda3e.msi will be different on every system. The folder C:\Windows\Installer
can be investigated to find the correct name on a given system.

msiexec /fa C:\Windows\Installer\fafda3e.msi

After the repairing finished, the file written by the malicious binary can be
checked. It was created and contains the string "nt authority\system".
[see figure checkmk_tempfolder.png]


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* 2.1.0

According to the vendor, the following versions are affected:
* 2.0.0
* 2.1.0
* 2.2.0


Vendor contact timeline:
------------------------
2024-01-15: Contacting vendor through security@checkmk.com
2024-01-18: Vendor confirms vulnerability, assigns CVE, and
prepares a fix
2024-01-26: Providing credits and acknowledging CVSS score.
2024-03-04: Vendor informs us that fixes with Werk #16361
are available.
2024-03-07: Coordinated release of security advisory.


Solution:
---------
Install the latest version 2.1.0p40 or 2.2.0p23 from the vendor's
download page:

https://checkmk.com/download

More information can be found within the vendor's security advisory:
https://checkmk.com/werk/16361


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Michael Baer / @2024
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close