New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Icinga Web 2 Arbitrary File Read (CVE-2022-24716) #17915
Conversation
documentation/modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.md
Outdated
Show resolved
Hide resolved
Testing
|
Given that GHSA-5p3f-rh28-8frw mentions rotating the database credentials I'd also recon it might be an idea to update this module to allow grabbing the creds from the target and save those into the Metasploit database for later cracking? Otherwise module looks good, below are some thoughts for future improvement: According to https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/ you should be able to combine this with CVE-2022-24715 to get RCE on the target. I'd be happy to update this later and land this module as is, or explore this further if you don't have the time, but something to consider 👍 |
Hmm odd the default config you have doesn't work. A GET request to |
The database file should be stored at |
Copy of the run to showcase what I mean:
|
@msjenkins-r7 Test this please! |
correct. The default is the config file location mentioned in the docs. this should be the default as its the most common case. Unfortunately docker puts it in a different location, so |
Let me do a quick update to the docs to account for this then should be good to land 👍 |
Release NotesA new module has been added in for CVE-2022-24716, an unauthenticated arbitrary file read in Icinga Web 2 versions 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive that can be used to leak sensitive configuration information from a target server. |
This PR adds a module to exploit CVE-2022-24716, an unauthenticated absolute path remote file read in Icinga Web 2.
Verification
msfconsole
use auxiliary/scanner/http/icinga_static_library_file_directory_traversal
set rhosts [ip]
set file [file]
run