Summary
The file panorama.pm
is vulnerable to a Path Traversal Vulnerability which allows a remote authenticated attacker to upload arbitrary files to any folder which has write permissions on the affected system. This vulnerability affects all versions of Thruk even the one that was recently published (<=3.06).
Details
The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (.
) and the slash (/
).
In this step, the location
is received from the parameters sent by the client through the web request and there is no sanitization at all.
|
my $location = $c->req->parameters->{'location'}; |
Then, the variable folder
is constructed doing a basic concatenation without any sanitization.
|
my $folder = $c->stash->{'usercontent_folder'}.'/'.$location; |
Next, the folder
variable is concatenated with the filename
variable and its result is stored in the newlocation
variable, again no sanitization at all.
|
my $newlocation = $folder.'/'.$filename; |
Finally, here the uploaded file is moved to the desired folder.
|
move($upload->{'tempname'}, $newlocation); |
Through this flow, it is easy to see that due to the lack of sanitization we can manipulate the location parameter and exploit a Path Traversal vulnerability to upload a file to any folder we want.
PoC
- Go to the form where we can upload an image that will be used as background for a Dashboard.
- Select any file with the allowed extensions and intercept the request with Burp Suite.
- Modify the
location
parameter which is the backgrounds/
string and replace it with something like backgrounds/../../../../tmp/
- You will receive a message that the file was uploaded successfully.
- Check your
/tmp/
folder and verify the presence of the file.
As part of the PoC, I decided to include the following screenshots.
In the first screenshot I included the normal request where a file will be uploaded to a folder where the current user does not have any write permissions, and I received an error message.
In the second screenshot I included the manipulated request where the path traversal vulnerability is being exploited to upload the file to /tmp/
folder, as you can see I received a success message.
Impact
A Path Traversal vulnerability allows an attacker to upload arbitrary files to the server. The attacker can overwrite existing files on the system and cause a defacement (replacing legitimate images on the web server) or simply can upload random files to fill the disk completely and affect the availability and correct status of the platform.
It is well known that a Path Traversal Vulnerability in certain cases can allow an attacker to upload a webshell and gain Remote Code Execution (RCE) on the affected host, which could lead to a Complete System Takeover.
This vulnerability affects all versions of Thruk even the one that was recently published (3.06) so the impact is bigger as this issue affects all instances of Thruk around the world.
Timeline
- 2023-05-25: This vulnerability was identified by Galoget Latorre.
- 2023-06-02: Initial contact with maintainer via GitHub Security Advisory including vulnerability details and Proof of Concept (PoC).
- 2023-06-05: CVE-2023-34096 is assigned.
- 2023-06-06: Maintainer releases a patch with version 3.06-2, see Thruk's Changelog.
- 2023-06-08: GitHub Security Advisory is released by maintainer.
- 2023-06-08: Security advisory (author's blog post) is released by Galoget Latorre.
- 2023-06-08: Exploit PoC is released by Galoget Latorre.
- 2023-06-09: Exploit PoC is shared by Exploit Database (Exploit-DB).
- 2023-06-09: Exploit PoC is shared by Packet Storm Security.
References:
Summary
The file
panorama.pm
is vulnerable to a Path Traversal Vulnerability which allows a remote authenticated attacker to upload arbitrary files to any folder which has write permissions on the affected system. This vulnerability affects all versions of Thruk even the one that was recently published (<=3.06).Details
The parameter location is not filtered, validated or sanitized and it accepts any kind of characters. For a path traversal attack, the only characters required were the dot (
.
) and the slash (/
).In this step, the
location
is received from the parameters sent by the client through the web request and there is no sanitization at all.Thruk/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm
Line 690 in 1bc5a58
Then, the variable
folder
is constructed doing a basic concatenation without any sanitization.Thruk/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm
Line 705 in 1bc5a58
Next, the
folder
variable is concatenated with thefilename
variable and its result is stored in thenewlocation
variable, again no sanitization at all.Thruk/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm
Line 727 in 1bc5a58
Finally, here the uploaded file is moved to the desired folder.
Thruk/plugins/plugins-available/panorama/lib/Thruk/Controller/panorama.pm
Line 735 in 1bc5a58
Through this flow, it is easy to see that due to the lack of sanitization we can manipulate the location parameter and exploit a Path Traversal vulnerability to upload a file to any folder we want.
PoC
location
parameter which is thebackgrounds/
string and replace it with something likebackgrounds/../../../../tmp/
/tmp/
folder and verify the presence of the file.As part of the PoC, I decided to include the following screenshots.
In the first screenshot I included the normal request where a file will be uploaded to a folder where the current user does not have any write permissions, and I received an error message.
In the second screenshot I included the manipulated request where the path traversal vulnerability is being exploited to upload the file to
/tmp/
folder, as you can see I received a success message.Impact
A Path Traversal vulnerability allows an attacker to upload arbitrary files to the server. The attacker can overwrite existing files on the system and cause a defacement (replacing legitimate images on the web server) or simply can upload random files to fill the disk completely and affect the availability and correct status of the platform.
It is well known that a Path Traversal Vulnerability in certain cases can allow an attacker to upload a webshell and gain Remote Code Execution (RCE) on the affected host, which could lead to a Complete System Takeover.
This vulnerability affects all versions of Thruk even the one that was recently published (3.06) so the impact is bigger as this issue affects all instances of Thruk around the world.
Timeline
References: