Thruk Monitoring Web Interface versions <= v3.06 are vulnerable to CVE-2023-34096 (Path Traversal).
The current exploit is made in Python 3 and exploits the vulnerability to upload a PoC file to multiple Thruk's common folders and also some Linux folders.
The CNA GitHub, Inc. assigned a CVSS 3.1 Score of 6.5 (Medium) to this finding. (Check NIST NVD)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Assigned CVE: CVE-2023-34096
- CVE Author: Galoget Latorre (@galoget)
- Severity: 6.5 Medium
- Type: Path Traversal
- Product: Thruk Monitoring Web Interface
- Affected Versions: All versions <= 3.06
- Patched Version: 3.06-2
- 2023-05-25: This vulnerability was identified by Galoget Latorre.
- 2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
- 2023-06-05: CVE-2023-34096 is assigned.
- 2023-06-06: Maintainer releases a patch with version 3.06-2, see Thruk's Changelog.
- 2023-06-08: GitHub Security Advisory is released by maintainer.
- 2023-06-08: Security advisory (author's blog post) is released by Galoget Latorre.
- 2023-06-08: Exploit PoC (this repository) is released by Galoget Latorre.
- 2023-06-09: Exploit PoC is shared by Exploit Database (Exploit-DB).
- 2023-06-09: Exploit PoC is shared by Packet Storm Security.
This security vulnerability was identified and reported to the maintainer (Thruk's Developers) by Galoget Latorre, Security Consultant at Hackem Cybersecurity Research Group and Dreamlab Technologies.
- CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
- GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
- Exploit Database (Exploit-DB): https://www.exploit-db.com/exploits/51509
- Packet Storm Security: https://packetstormsecurity.com/files/172822/Thruk-Monitoring-Web-Interface-3.06-Path-Traversal.html
- NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096
- MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096
- Other Exploits (PoCs) authored by Galoget:
- Exploit Database (Exploit-DB): https://www.exploit-db.com/?author=11838
- Packet Storm Security: https://packetstormsecurity.com/files/author/16617/
Note: In the previous image, you can see that the exploit is showing an error message for the last 3 attempts, this is because in the test environment some folders were non-existent or the Apache user did not have write permissions on those paths. The exploit works correctly and the output was intended to test all possible cases.