Stack Overflow (Jewish Napalm) on PRTG Network Monitoring

We constantly choose some well known apps to take a closer look here in the lab. This time PRTG Network Monitoring (Version 18.1.38.11937) was the chosen one.

PRTG Network Monitoring its a software that monitors all systems, devices, traffic and applications of IT infrastructure. It’s used by enterprises such as: Cisco, Dell, HP, IBM, Amazon, Microsft etc.

In this case it is worth mentioning that to explore this vulnerability, it is not necessary to be authenticated, so it can completely wreck availability of the system.
During a battery of tests regarding the “?file=” command, I’ve started testing payloads on several system fields, receiving the following error: [Error C3: Include File Not Found “<PAYLOAD>”]

With this I’ve been enumerating the application files with a directory brute force, so I used as payload one of the file listed, according to url: “http://<IP ADDRESS>/index.htm?file=/css/manuals.css”, and got the following result:

I was aware that is possible to import an existing file into the “/” of the platform. So I’ve decided to test a file with “.htm” extension to see if it would be incorporated in the <body> of the application like the “.css” before, passing the following payload: “http://<IP-ADDRESS>/index.htm?file=addmap.htm” after, i realized that the server had been shutdown.

Server Side Vision:

I would like to take this opportunity to thank Paessler for the recognition of the research and to have published a note (https://www.paessler.com/prtg/history/preview) on the “MARCH 29TH 2018 — VERSION 18.1.39.1648” fix for the vulnerability found.

CVE and Exploit Related to this article:

• EXPLOIT-DB:44500 — https://www.exploit-db.com/exploits/44500/
• CVE-2018–10253 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10253