Security Issue On PRTG Network Manager.

Version 17.3.33.2830

Researching the platform, me, Edward Amaral, security researcher from Stone Payments found some security issues on the network manager from Paessler.

Those Vulnerabilities were:

  • Reflected Cross Site Script (Reflected XSS)
  • Storage Cross-Site Script (Storaged XSS)

The Cross-Site Scripting is the third most critical web application vulnerability according to OWASP which is the Open Web Application Security Project, an online community that produces a ton of free infosec quality content.

Lets talk first about the Reflected XSS, that one was found on the path error.htm, that path is a error page, and it passes a parameter named <errormsg>, vulnerable to URL encoded scripts, via GET parameter.

The payload used to exploit this vulnerability, consisted in a URL encoded iframe tag, with a base64 encoded body tag, that makes the user sessionIDs pop up on an alert screen when the page loads.

Payload used was: <iframe%2fsrc%3d”data%3atext%2fhtml%3b%26Tab%3bbase64%26Tab%3b%2cPGJvZHkgb25sb2FkPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSk%2bCgoK”>%0A%0A%0A%0A

Illustration 1: Evidence of the Reflected XSS

This is just a Proof of concept of the XSS found on the application, on a real attack, there would be a remote server listening to the network traffic of the user/admin, and when that session ID pops on the screen, the attacker could see it in clear text.

The reflected Cross-Site Script needs a little bit of effort for the attacker to get their information, as the URL with the payload needs to be acessed by the user of the application, which requires some sort of social engineering to get that interaction.

Now, the second security issue was the Storaged Cross Site Script, found on ALL the sensors titles, that one got a little trickier.

The payload used a HTML encoded IMG tag, that gives a null byte as source for the image, it forces an error that has been declared on the script to pop up those tasty users sessionIDs.

Altough the parameter <tittle> was used to store the payload it was not vulnerable to the payload itself, but when we put the mouse over the sensor, it interpretates the payload in the tooltip box that pop below the sensor, containing the sensor information.

Payload used: &#x3C;img/src=&#x60;%00&#x60; onerror=this.onerror=alert(document.cookie)

Illustration 2: Evidence of the Storaged XSS

In order to setup this XSS it is needed to be logged into the application and have write permission, in other words we need to be authenticated into their application and have some priviledges to farm some sessionIDs. That kinda makes the vulnerability hard to exploit in a real attack, which can make its severity drop by a lot.

Research Update*

In the following days we, me and my coworker, Ricardo Fajin, found Another Stored XSS in the Paesller solution.

This time, we explored the groups part, and found a similar issue that we got on the sensors, when we store a payload with only a HTML encode, on the name of the group, that one does not pop directly, when we put the mouse over the name of the group it opens a div with the ID: <ptip>, and this one interpretate the payload.

The payload used was : &#x3c;&#x69;&#x66;&#x72;&#x61;&#x6d;&#x65;&#x20;&#x25;&#x30;&#x30;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x22;&#x26;&#x54;&#x61;&#x62;&#x3b;&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x70;&#x72;&#x6f;&#x6d;&#x70;&#x74;&#x28;&#x64;&#x6f;&#x63;&#x75;&#x6d;&#x65;&#x6e;&#x74;&#x2e;&#x63;&#x6f;&#x6f;&#x6b;&#x69;&#x65;&#x29;&#x26;&#x54;&#x61;&#x62;&#x3b;&#x22;&#x25;&#x30;&#x30;&#x3e;

Illustration 3: Evidence of the stored XSS

Research Update 2*

Again, by testing the platform, me and my coworker Ricardo Fajin, found another issue on the PRTG Network Monitor. We’ve got into the file upload function test.

So, let’s get started, we were trying to get a file upload to the server for several hours, with a lot of techniques for bypassing the upload restrictions, although without success, all we’ve got was the error message saying that the file could not be uploaded because it was not an image.

We’ve decided that we should try another approach, then we’ve got into the server’s machine and saw how it behaved while uploading files, we saw that all those uploads got into the server, even though it gives us the error message.

All the extensions were “accepted”, so we tried to upload a shell code in .exe, and while the attack is only possible if the server admin executes the file, it gives us a shell on the server.

Research Update 3*

Paesller Solution, PRTG Network monitor, got us a very good time of research, we’ve found another security issue on the next days of research.

The security issue was a Access control flaw, which resulted in the creation of a map as a read only user.

This flaw is interesting because of the other discovery that we found, the file upload flaw, that coincidentally was in the creation of the map too.

To explore this issue, we need to forge a Map creation requisition, as a read only user, giving whatever data we want. Although the server gives an error, the map is created.

List of CVEs Related to this article.

CVE-2017–15009. — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15009

CVE-2017–15008. — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15008

CVE-2017–15360. — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15360

CVE-2017–15651. — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15651

CVE-2017–15917. — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15917

Authors:

Edward Amaral

Ricardo Fajin